diff options
-rw-r--r-- | debian/changelog | 8 | ||||
-rwxr-xr-x | debootstrap | 6 | ||||
-rw-r--r-- | functions | 16 |
3 files changed, 23 insertions, 7 deletions
diff --git a/debian/changelog b/debian/changelog index e9a72f9..83a9634 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,18 @@ debootstrap (1.0.56) UNRELEASED; urgency=low + [ Tollef Fog Heen ] * Install base-passwd and base-files in two calls rather than one to avoid problems with home-built media with different ordering in Packages. Thanks to Jo Shields for pointing this out and providing the workaround. Closes: #601670. LP: #1001131. + [ Joey Hess ] + * When deboostrapping Debian, and the debian-archive-keyring is not + available, switch the default mirror to a https url. This way at + least the CA level of security is available even for users who + have no way to check gpg keys in the WoT. The https mirror is + currently https://mirrors.kernel.org/debian. + -- Tollef Fog Heen <tfheen@debian.org> Thu, 19 Dec 2013 13:41:37 +0100 debootstrap (1.0.55) unstable; urgency=low diff --git a/debootstrap b/debootstrap index dfa0abc..f7ee5d1 100755 --- a/debootstrap +++ b/debootstrap @@ -47,6 +47,7 @@ CHECKCERTIF="" PRIVATEKEY="" DEF_MIRROR="http://ftp.us.debian.org/debian" +DEF_HTTPS_MIRROR="https://mirrors.kernel.org/debian" export LANG USE_COMPONENTS umask 022 @@ -374,6 +375,7 @@ else fi SUITE="$1" TARGET="$2" + USER_MIRROR="$3" TARGET="${TARGET%/}" if [ "${TARGET#/}" = "${TARGET}" ]; then if [ "${TARGET%/*}" = "$TARGET" ] ; then @@ -533,8 +535,8 @@ if [ "$SECOND_STAGE_ONLY" = "true" ]; then MIRRORS=null: else MIRRORS="$DEF_MIRROR" - if [ "$3" != "" ]; then - MIRRORS="$3" + if [ "$USER_MIRROR" != "" ]; then + MIRRORS="$USER_MIRROR" MIRRORS="${MIRRORS%/}" fi fi @@ -196,9 +196,17 @@ download_style () { } keyring () { - KEYRING_WANTED="$1" - if [ -z "$KEYRING" ] && [ -e "$KEYRING_WANTED" ]; then - KEYRING="$KEYRING_WANTED" + if [ -z "$KEYRING" ]; then + if [ -e "$1" ]; then + KEYRING="$1" + elif [ -z "$DISABLE_KEYRING" ]; then + if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" ] ; then + info KEYRING "Keyring file not available at %s; switching to https mirror %s" "$1" "$DEF_HTTPS_MIRROR" + DEF_MIRROR="$DEF_HTTPS_MIRROR" + else + warning KEYRING "Cannot check Release signature; keyring file not available %s" "$1" + fi + fi fi } @@ -520,8 +528,6 @@ download_release_sig () { (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \ "$relsigdest" "$reldest" || true) | read_gpg_status progress 100 100 DOWNRELSIG "Downloading Release file signature" - elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then - warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED" fi } |