> > Am Mittwoch, den 21.02.2018, 10:08 +0100 schrieb Raphael Hertzog: > > Hello, > > > > On Wed, 27 Dec 2017, Benjamin Drung wrote: > > > The wget binary depends on many libraries. On Debian 9 (stretch) > > > these > > > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, > > > libnettle6, > > > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 > > > megabytes. > > > This increases the initramfs size a lot. To save space, use wget > > > from > > > busybox instead. Commit 4328832d0 that adds wget does not give a > > > reason > > > why busybox's wget is not used. A patch is tested and attached. > > > > The usual reason is for "https" support. Have you tried to use https > > URLs in the various places where we can use URLs? > > Okay. I did some tests in a minimal schroot environment: > > (stretch)root@konstrukt:~# dpkg -s busybox | grep ^Version > Version: 1:1.22.0-19+b3 > (stretch)root@konstrukt:~# busybox wget https://bugs.debian.org/ > wget: not an http or ftp url: https://bugs.debian.org/ > > (buster)root@konstrukt:~# dpkg -s busybox | grep ^Version > Version: 1:1.27.2-2 > (buster)root@konstrukt:~# busybox wget https://bugs.debian.org/ > Connecting to bugs.debian.org (209.87.16.39:443) > Connecting to www.debian.org (5.153.231.4:443) > index.html 100% |***************| 18089 0:00:00 ETA > > So busybox in stretch does not support HTTPS, but it supports HTTPS in > testing/unstable.
Busybox version of wget does not check the certificate at all, which defeat the purpose of https. Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' and busybox wget 'https://expired.badssl.com/' - Kristian