Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Control: tag -1 + pending
On Fri, 23 Feb 2018, Kristian Klausen wrote:
> Busybox version of wget does not check the certificate at all, which defeat the purpose of https.
> Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' and busybox wget 'https://expired.badssl.com/'
At the same time, ca-certificates is not embedded in the initrd either so
certificates could not be checked. And the purpose of https is two-fold:
privacy due to encryption (we have that), and authentication with
certificates (we don't have that).
I don't even know where live-boot is using URL and what for. But I have
committed the patch.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: