Bug#790565: pbuilder: support https in MIRRORSITE detection

[Michael Prokop]

* Mattia Rizzolo [Fri Jul 03, 2015 at 07:44:19AM +0000]:
> On Tue, Jun 30, 2015 at 10:54:18AM +0200, Michael Prokop wrote:

> > pbuilder fails to detect MIRRORSITE if /etc/apt/sources.list
> > includes only https entries.
> > Patch attached.

> Well, that's not enough.
> I haven't tried, by I'd say having https lines in /etc/apt/sources.list
> requires apt-transport-https.

Yes, apt-transport-https is indeed needed and that's what I'm doing
to set up the build envs:

| /usr/sbin/cowbuilder --create [,,,] --debootstrapopts --include=apt-transport-https,ca-certificates

ca-certificates isn't explicitely needed because it seems to be
pulled in anyway, but maybe we should add it explicitely as well,
what do you think?

> I don't want to install apt-transport-https by default on chroots,

Which I can understand (though it's not nice that we throw so many
pitfalls to users that care about security, but that's related to
the issue of the separate apt-transport-https package as you noted).

> so if you really want https being automatically detected and used
> then you also want to add some conditional things that install
> apt-transport-https if needed.

Would it be an option to check for usage of https in $MIRRORSITE
in /usr/lib/pbuilder/pbuilder-createbuildenv and then extend the
--include=apt option with apt-transport-https accordingly?

> Then I've never understood why apt-transport-https is on a different package
> not in the main apt binary, but that's another story.

Yeah :-/

regards,
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20150703/bcbe6c18/attachment.sig>