Comment 3 for bug 1836041

I did some work on this and got to know the makefile and its purpose a
little better. I'm able to respond to more of the initial bug report
now.

On 2019-07-15 20:48:06, Launchpad Bug Tracker wrote:
> Inside these Makefiles, it uses a number of hardcoded http URLS.

To be clear, this is not a security issue. Ubuntu uses http URLs for apt
archives. The files served over http are signed and then verified by the
client.

I'll update the bug title to remove the mention of http mirrors being an
issue.

> One is a PPA URL to launchpad, which should be paramaterised (I can't hit it
> from a corporate network), and the other is a paramaterised URL hard-
> coded to use 'http'.

You can override the use of the ftpmaster.internal/ubuntu mirror URL
using the MIRROR make variable like so:

 $ sudo make KERNEL=linux-pc-image MIRROR=us.archive.ubuntu.com

> The pramaterised endpoint is `ftpmaster.internal/ubuntu` by default,
> and should probably point to 'http://archive.ubuntu.com/ubuntu/' or
> something that is buildable by end-users as well, especially seeing as
> it is the default if building from the snapcraft.yaml file, see
> following link, sets 'PROPOSED=true' in the 'make-parameters' section
> of the build.

The default mirror used is a separate, non-security issue and should not
be tracked by this particular bug report.