Bug#790565: pbuilder: support https in MIRRORSITE detection

Michael Prokop mika at debian.org
Fri Jul 3 10:15:32 UTC 2015


* Mattia Rizzolo [Fri Jul 03, 2015 at 09:12:46AM +0000]:
> On Fri, Jul 03, 2015 at 10:39:52AM +0200, Michael Prokop wrote:
> > * Mattia Rizzolo [Fri Jul 03, 2015 at 07:44:19AM +0000]:
> > > On Tue, Jun 30, 2015 at 10:54:18AM +0200, Michael Prokop wrote:

[MIRRORSITE setup with https]
> > Yes, apt-transport-https is indeed needed and that's what I'm doing
> > to set up the build envs:

> > | /usr/sbin/cowbuilder --create [,,,] --debootstrapopts --include=apt-transport-https,ca-certificates

> > ca-certificates isn't explicitely needed because it seems to be
> > pulled in anyway, but maybe we should add it explicitely as well,
> > what do you think?

> ca-certificates is a recommends of libcurl3-gnutls which is in turn a
> dependency of apt-transport-https. the chroots created by pbuilder disable the
> automatic installation of recommends, so you explicitly need it, yes.

ACK (JFTR: at least in squeeze ca-certificates is a hard dependency
of libcurl3-gnutls so it gets automatically pulled in anyway, as I
just verified).

> I'm not super happy about having ca-certificates (and that means openssl) in
> chroots, though I guess nobody is going to manually install single certificates
> for every host he's going to connect to, and ssl without trusting certs is
> useless. What a pain.
> Until this is not the default I'm ok, though.

Agreed.

> > > so if you really want https being automatically detected and used
> > > then you also want to add some conditional things that install
> > > apt-transport-https if needed.

> > Would it be an option to check for usage of https in $MIRRORSITE
> > in /usr/lib/pbuilder/pbuilder-createbuildenv and then extend the
> > --include=apt option with apt-transport-https accordingly?

> not only -createbuildenv, but also -updatebuildenv. There are already a couple
> of cases where the installed packages are extended.
> And I think we also want to check for https in the chroot's
> /etc/apt/sources.list in -updatebuildenv, since a user might have add entries
> by hand and now he wants to use them.

Oh right, thanks for mentioning that.

> But, umh, this is going to be a bit tricky because the first `apt-get update`
> is going to fail due to the missing apt-transport-https, and the EXTRAPACKAGES
> check is done after that.

Right.

> Only now I see that you're explicitely installing them in the debootstrap
> phase, and not after, e.g. adding them to the EXTRAPACKAGES conf entry. umh.
> And as you can read in the comment above the debootstrap invocation (even if
> that would mean ignoring the --update use case), adding packages with --include
> is not safe from our pov, so that's not really as easy as I first thought.

Ok, that's what I was afraid of. :-/

> Please have a look at those two scripts and try to see if you can think of a
> clean solution for this :)

I will try to, though I can't promise any ETA currently.

My my main concerns for the current handling of pbuilder WRT https
is, that even with DEBIAN_FRONTEND=noninteractive and only https
entries present in sources.list its installation fails with "Default
mirror not found" and prompts for interactive usage, which I
consider a pity.

Only via preseeding I manage to get pbuilder installed without
failing/prompting for mirror selection. My patch prevents the
failing pbuilder installation and leaves the apt-transport-https
handling to the user. As a first step we could maybe include my
current patch and clarify the usage of https WRT apt-transport-https
in pbuilder's documentation? This at least slightly improves
situation for users of https-only sources.list and we later on we
can further improve the situation. What do you think?

PS: Interestingly with
# echo "pbuilder mirrorsite select https://debian..../debian" | debconf-set-selections
I still end up with "MIRRORSITE=http://cdn.debian.net/debian" in
/etc/pbuilderrc, didn't investigate closer though.

regards,
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20150703/07b0ff25/attachment.sig>


More information about the Pbuilder-maint mailing list