diff options
author | Joey Hess <joey@kitenet.net> | 2013-12-27 01:53:49 (GMT) |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2013-12-27 01:56:27 (GMT) |
commit | e6380aad7870678bd23a9f4e23beb73c2b20d79c (patch) | |
tree | d669db1381fc2c702880d53283fdf398d6cff8fa /functions | |
parent | 299a5cc6a647fa2a176b12a5314fc8bbb7be1d1b (diff) | |
download | debootstrap-e6380aad7870678bd23a9f4e23beb73c2b20d79c.zip debootstrap-e6380aad7870678bd23a9f4e23beb73c2b20d79c.tar.gz debootstrap-e6380aad7870678bd23a9f4e23beb73c2b20d79c.tar.bz2 |
default to https mirror for Debian when no gpg verification is available
When deboostrapping Debian, and the debian-archive-keyring is not
available, switch the default mirror to a https url. This way at least the
CA level of security is available even for users who have no way to check
gpg keys in the WoT. The https mirror is currently
https://mirrors.kernel.org/debian.
When the keyring is available, the default mirror remains non-https,
for several reasons:
a) to avoid overloading mirrors.kernel.org
b) because http.us.debian.org lacks https support
c) because mirrors.kernel.org is not currently in the
http.us.debian.org rotation
d) because mirrors.kernel.org lacks IPv6 support
Diffstat (limited to 'functions')
-rw-r--r-- | functions | 16 |
1 files changed, 11 insertions, 5 deletions
@@ -196,9 +196,17 @@ download_style () { } keyring () { - KEYRING_WANTED="$1" - if [ -z "$KEYRING" ] && [ -e "$KEYRING_WANTED" ]; then - KEYRING="$KEYRING_WANTED" + if [ -z "$KEYRING" ]; then + if [ -e "$1" ]; then + KEYRING="$1" + elif [ -z "$DISABLE_KEYRING" ]; then + if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" ] ; then + info KEYRING "Keyring file not available at %s; switching to https mirror %s" "$1" "$DEF_HTTPS_MIRROR" + DEF_MIRROR="$DEF_HTTPS_MIRROR" + else + warning KEYRING "Cannot check Release signature; keyring file not available %s" "$1" + fi + fi fi } @@ -520,8 +528,6 @@ download_release_sig () { (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \ "$relsigdest" "$reldest" || true) | read_gpg_status progress 100 100 DOWNRELSIG "Downloading Release file signature" - elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then - warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED" fi } |