© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
I've found one further issue, and a somewhat thorny one. Where we resolve it probably depends on upstream response. It doesn't affect the "ignore SSL certificates" case, so you may not be so worried about this; but I do think we need to sort it out.
apt-transport-https uses libcurl to download from HTTPS. This works fine if you're using a mirror whose root of trust is in ca-certificates, or if you've disabled CA certificate checking. However, we're specifically using libcurl3-gnutls, and cURL's GnuTLS backend only supports using a CA bundle, not a directory. As a result it is awkward to copy certificates from d-i to the target system.
The options I can think of at the moment are:
* add CA directory support to cURL's GnuTLS backend (which would make some sense given that wget supports this with GnuTLS)
* have apt-transport-https scan the CA directory itself manually
* integrate with ca-certificates to merge the certificates provided to d-i into the bundle (this might be a nice thing to do anyway, since it would place the installer-provided certificates under /usr/local/)
I've added a curl task to this bug to represent the first of these options, but I'll need to think about this a bit and perhaps discuss it with some other people.