security issue with a dead simple fix: download debootstrap using HTTPS

[eighthave]

Right now, crouton downloads debootstrap from anonscm.debian.org using an HTTP link. That URL is also accessible using an HTTPS link, e.g.

crouton $ git diff
diff --git a/installer/ubuntu/bootstrap b/installer/ubuntu/bootstrap
index f826dfd..a0f24a5 100644
--- a/installer/ubuntu/bootstrap
+++ b/installer/ubuntu/bootstrap
@@ -10,7 +10,7 @@

 # Grab the latest release of debootstrap
 echo 'Downloading latest debootstrap...' 1>&2
-d='http://anonscm.debian.org/gitweb/?p=d-i/debootstrap.git;a=snapshot;h=HEAD;sf=tgz'
+d='https://anonscm.debian.org/gitweb/?p=d-i/debootstrap.git;a=snapshot;h=HEAD;sf=tgz'
 if ! wget -O- --no-verbose --timeout=60 -t2 "$d"  \
         | tar -C "$tmp" --strip-components=1 -zx 2>/dev/null; then
     echo 'Download from Debian gitweb failed. Trying latest release...' 1>&2

[dnschneid]

Oops. Sign the CLA and open a PR?

[eighthave]

I'm not going to sign a CLA for trivial changes that are not even copyrightable. Security fixes should definitely take priority over a CLA anyhow, especially with a fix this trivial. Additionally, asking contributors to sign a CLA means asking them to spend time reviewing legal documents instead of code. Really, contributors should also consult a lawyer, since you/your org certainly did when putting up your CLA. I think it is reasonable to require the Apache CLA, since that is a standard legal document written by an organization that is working in the public interest. If your org wants to sponsor a lawyer to consult with me, like the Free Software Foundation does with their licenses, then I would consider your CLA. I was hoping to get elementaryOS in crouton, but the CLA requirement is unfortunately a make or break deal for me.

[DennisLfromGA]

Jeez Louise - I'll do it - #2121

[eighthave]

Sorry, didn't intend to start here with a rant, but asking to sign a CLA to add a single letter is pretty extreme.

[DennisLfromGA]

No problem as far as I'm concerned; I've already signed the CLA and I think it's a simple but warranted mod. Thanx for the suggestion and fix.

[dnschneid]

Sorry for the hassle...e-mail me if you want to talk to our legal department :)