[16:04]  * cjwatson writes a longish mail about thoughts for possible approaches to the debootstrappish part of bug 1135163, and then realises that he's argued himself round to the point where only a single option is plausible
[16:04] <ubot2`> Launchpad bug 1135163 in choose-mirror (Ubuntu) "d-i can't install against an https mirror" [High,In progress] https://launchpad.net/bugs/1135163
[17:47] <infinity> cjwatson: Are you going to make --no-check-gpg imply --no-check-ssl, or add the latter as an explicit debootstrap option or some such?
[17:48] <infinity> cjwatson: (And then pass down a cmdline/preseed to trigger same, for people who don't care about baking certs into an installer or driver disk)
[17:49] <cjwatson> infinity: I already made debian-installer/allow_unauthenticated imply wget --no-check-certificate, indeed
[17:49] <cjwatson> At least for early stages; I still need to arrange to pass that to debootstrap, but it's easy enough
[17:49] <infinity> cjwatson: Sure, I meant for debootstrap.
[17:50] <cjwatson> debootstrap has a --no-check-certificate option, so it's just a matter of having base-installer pass it.  Next on my list
[17:50] <infinity> cjwatson: I wonder if debootrap might want a --no-check-ssl, and then a --no-check-sigs that implies -ssl/-gpg for people who want to skip all checking at once.
[17:50] <infinity> Oh, wait, it does?
[17:50] <infinity> Oh, so it does.
[17:50] <infinity> I've never noticed that before.
[17:51] <infinity> Cause I never thought it did SSL. :P
[17:51] <infinity> Neeeevermind, then.
[17:51] <cjwatson> Looks like it was added in 2010
[17:52] <infinity> Explains it.  I don't seem to notice new software features added after about 2002, unless they smack me in the face.
[17:53] <cjwatson> It may be worth having a separate preseedable question for disabling SSL checks, but I think I'll wait until somebody complains
[17:54] <infinity> My bet is that's what the big G would prefer.
[17:54] <infinity> Driver disks or custom installers are both harder than a preseed when you're installing on a network that you trust.
[17:54] <cjwatson> Hm, you may be right.  If so I should probably do that now rather than later
[17:55] <cjwatson> The SSL check is weaker than GPG for most purposes
[17:55] <infinity> Right, AFAIR, their reason for wanting SSL wasn't anonymisation or security, but purely that they prefer not to run any HTTP services at all.
[17:55] <infinity> So, having one unique snowflake HTTP Ubuntu mirror irks them.
[17:56] <infinity> But I doubt they care AT ALL if it provides any security on top of the GPG checks.
[18:00] <cjwatson> I shouldn't have mailed debian-mirrors@ about adding Mirrors.masterlist metadata for this - now I'm embroiled in arguments with people missing the point