Ubuntu
debian-installer package

Bug #1807023
Comment #0

Comment 0 for bug 1807023

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-12-05:

[Impact]

* The installer stock images fail to validate any HTTPS
certificates because ca-certificates is not available
in the installer environment.

* This causes wget/download errors for preseed files on
   HTTPS servers (or HTTP servers that redirect to HTTPS,
   which are increasingly common nowadays - e.g., GitHub)
   and theoretically any other files that are downloaded
   with d-i-utils/fetch-url/wget.

* The fix is to ship ca-certificates-udeb in installer
stock images.

* Debian already ships ca-certificate-udeb in the stock
installer images; the fix is applied since Jan 2017.
(reference: Debian Bug #842040 / d-i commit 2f00c51a [1])

[Test Case]

* In the installer shell:

~ # wget http://github.com # or https://github.com

- FAIL if ca-certificates-udeb is missing:
"ERROR: cannot verify github.com's certificate, <...>'

- PASS if ca-certificates-udeb is available
"Saving to: 'index.html'"

* Test steps with virt-install and netboot images
are provided in the comments, for each release.

[Regression Potential]

* Low. This just adds the ca-certificates files in
/etc/ssl/certs and symlink in /usr/lib/ssl/certs,
so only tools looking for that would be affected.

* Apparently only wget checks for/uses those files,
and the difference in behavior is download errors
no longer occur.

[Notes]

* The ca-certificates-udeb is not currently present
   in the Ubuntu archive despite being available for
   download in Launchpad with a link for some reason
   (perhaps a problem during import from Debian/sid?)

* So this fix includes a no-change-rebuild for the
ca-certificates package, in order to publish the
udeb in the archive.

* The ca-certificates and debian-installer builds
have been done in a PPA using all architectures,
and testing has been done with the amd64 images.

* This fix is request for Bionic, Cosmic, Disco.

   The older releases (Trusty, Xenial) are affected,
   but not requested for, and would need more work,
   as the udeb is not yet in the packaging but that
   is doable if required for the process.

[1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6

[Impact]

* The installer stock images fail to validate any HTTPS
   certificates because ca-certificates is not available
   in the installer environment.

* The fix is to ship ca-certificates-udeb in installer
   stock images.

* Debian already ships ca-certificate-udeb in the stock
   installer images; the fix is applied since Jan 2017.
   (reference: Debian Bug #842040 / d-i commit 2f00c51a [1])

[Test Case]

* In the installer shell:

~ # wget http://github.com  # or https://github.com

- FAIL if ca-certificates-udeb is missing:
     "ERROR: cannot verify github.com's certificate, <...>'

- PASS if ca-certificates-udeb is available
     "Saving to: 'index.html'"

* Test steps with virt-install and netboot images
   are provided in the comments, for each release.

[Regression Potential]

* Low. This just adds the ca-certificates files in
   /etc/ssl/certs and symlink in /usr/lib/ssl/certs,
   so only tools looking for that would be affected.

* Apparently only wget checks for/uses those files,
   and the difference in behavior is download errors
   no longer occur.

[Notes]

* So this fix includes a no-change-rebuild for the
   ca-certificates package, in order to publish the
   udeb in the archive.

* The ca-certificates and debian-installer builds
   have been done in a PPA using all architectures,
   and testing has been done with the amd64 images.

* This fix is request for Bionic, Cosmic, Disco.

The older releases (Trusty, Xenial) are affected,
   but not requested for, and would need more work,
   as the udeb is not yet in the packaging but that
   is doable if required for the process.

[1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6

Ubuntudebian-installer package

Comment 0 for bug 1807023

Ubuntu
debian-installer package