)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"e0a08aefbc94158d3cd68908a8d5e9015b89b194","unresolved":true,"context_lines":[{"line_number":11,"context_line":"but \u0027DIB_DISTRIBUTION_MIRROR\u0027 points to an insecure HTTPS repository"},{"line_number":12,"context_line":"that is \"secured\" using an insecure certificate."},{"line_number":13,"context_line":"To fix the issue \u0027DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS\u0027 can be set to"},{"line_number":14,"context_line":"the \"0\" value."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Change-Id: I6f41670a4bb5f79da3223979214c175c444d7719"},{"line_number":17,"context_line":"Signed-off-by: Maksim Malchuk \u003cmaksim.malchuk@gmail.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"cf68e83d_f4bce729","line":14,"updated":"2026-02-02 09:24:19.000000000","message":"I think i was slightly mislead by this; it\u0027s not really an issue with `DIB_DISTRIBUTION_MIRROR_UBUNTU_INSECURE` right?  Now this change basically just adds `DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS` which allows you ignore a self-signed cert (presumably)?","commit_id":"eaeb6e4cc1323c5924569b4b89316543c3af0541"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"44c881754b4cd51d57270bfa41d666cfafcde402","unresolved":false,"context_lines":[{"line_number":11,"context_line":"but \u0027DIB_DISTRIBUTION_MIRROR\u0027 points to an insecure HTTPS repository"},{"line_number":12,"context_line":"that is \"secured\" using an insecure certificate."},{"line_number":13,"context_line":"To fix the issue \u0027DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS\u0027 can be set to"},{"line_number":14,"context_line":"the \"0\" value."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Change-Id: I6f41670a4bb5f79da3223979214c175c444d7719"},{"line_number":17,"context_line":"Signed-off-by: Maksim Malchuk \u003cmaksim.malchuk@gmail.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"2c4ab8cb_8a097b28","line":14,"in_reply_to":"cf68e83d_f4bce729","updated":"2026-02-02 12:18:16.000000000","message":"yep, meaning changed during the review process.","commit_id":"eaeb6e4cc1323c5924569b4b89316543c3af0541"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"7eb4ae1c8c9577f66516f49eca0d53994c39397e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"674ef7f7_a6f7cf40","updated":"2026-01-29 19:53:38.000000000","message":"Agree. And ok, will create the new change with DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS. Thanks.","commit_id":"5dfa1bb06535060a3b7c34b0bcc1bd7e0dae1a2c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e0990ae8dc56247315a9a2fc116e145ffce1f6c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"8524177a_3de2b36a","updated":"2026-01-29 16:43:31.000000000","message":"The meaning of DIB_DISTRIBUTION_MIRROR_UBUNTU_INSECURE is to trust package repos who\u0027s gpg signatures are not verified. This is a different situation to deciding whether or not you should trust an https server whose certificate is not verifiable.\n\nFor a concrete example OpenDev\u0027s Ubuntu mirrors are built using reprepro so that we can validate mirror contents before publishing them in AFS. Doing so means that the repo is no longer signed by upstream and is instead signed by reprepro. These signatures are not trusted by Ubuntu installations without extra effort. But we do run valid https certs in front of our mirrors. My preference would be that we do not conflate these two behaviors under a single flag as a result. OpenDev wants to verify ssl certs but not gpg signatures.\n\nI\u0027m not -1\u0027ing because I want to see if there is other input. But my preference would be that we use a new flag for this. Maybe DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS or similar.","commit_id":"5dfa1bb06535060a3b7c34b0bcc1bd7e0dae1a2c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"9b3972c19401c0898b02a49c09c0283e7ea2b166","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6f21783e_5f39fc1a","updated":"2026-01-29 21:48:27.000000000","message":"Two things the first is noted inline. Then can we also update diskimage_builder/elements/ubuntu/README.rst with a note about the new variable?","commit_id":"d78d952de6adbdb05d4711756158777dcba3b5a0"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"f468ac85c083e4f0fcc362fd9b08a9bb0f1e802e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c2d068e1_7d1f870d","updated":"2026-01-30 08:51:23.000000000","message":"okay","commit_id":"d78d952de6adbdb05d4711756158777dcba3b5a0"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"757379fb6c58b930e76543fa73b44adfc9c6b64b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6f90cb5d_8d7f1016","in_reply_to":"6f21783e_5f39fc1a","updated":"2026-01-30 14:09:40.000000000","message":"Done","commit_id":"d78d952de6adbdb05d4711756158777dcba3b5a0"},{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"3860be8d0b9dab4e20468ba77cac58561635e6b5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"d7821af4_523127cb","updated":"2026-02-02 23:40:58.000000000","message":"approving through, only updated description since clarkb\u0027s approval","commit_id":"12121be8e9f94226aac16b57a27cc0571bc34297"}],"diskimage_builder/elements/ubuntu/pre-install.d/01-set-ubuntu-mirror":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"1b8e617ebd2135121d782783d645af057231929e","unresolved":false,"context_lines":[{"line_number":54,"context_line":"    echo \"APT::Get::AllowUnauthenticated \\\"true\\\";\" | tee /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":55,"context_line":"    echo \"Acquire::AllowInsecureRepositories \\\"true\\\";\" | tee -a /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":56,"context_line":"    if [[ ${DIB_DISTRIBUTION_MIRROR} \u003d~ \"https:\" ]]; then"},{"line_number":57,"context_line":"        echo \"Acquire::https::Verify-Peer \\\"false\\\";\" | tee -a /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":58,"context_line":"    fi"},{"line_number":59,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9b1176fd_d2f69b78","line":57,"updated":"2026-01-29 17:06:43.000000000","message":"This is consistent with the \"Disabling security\" section of the apt-transport-https manpage and accompanying examples therein, though if the CN/SAN in the server\u0027s cert doesn\u0027t cover the hostname the client uses to refer to it, disabling `Verify-Host` may also be warranted (it isn\u0027t clear whether `Verify-Peer` also works around that case).","commit_id":"5dfa1bb06535060a3b7c34b0bcc1bd7e0dae1a2c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"9b3972c19401c0898b02a49c09c0283e7ea2b166","unresolved":true,"context_lines":[{"line_number":56,"context_line":"    echo \"Acquire::AllowInsecureRepositories \\\"true\\\";\" | tee -a /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":57,"context_line":"    if [[ \"${DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS}\" \u003d\u003d \"0\" \u0026\u0026 ${DIB_DISTRIBUTION_MIRROR} \u003d~ \"https:\" ]]; then"},{"line_number":58,"context_line":"        echo \"Acquire::https::Verify-Peer \\\"false\\\";\" | tee -a /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":59,"context_line":"    fi"},{"line_number":60,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":2,"id":"3caa084f_54a03c7e","line":59,"updated":"2026-01-29 21:48:27.000000000","message":"I would move this block entirely out of the DIB_DISTRIBUTION_MIRROR_UBUNTU_INSECURE block so that you can verify gpg and https independently of one another","commit_id":"d78d952de6adbdb05d4711756158777dcba3b5a0"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"757379fb6c58b930e76543fa73b44adfc9c6b64b","unresolved":false,"context_lines":[{"line_number":56,"context_line":"    echo \"Acquire::AllowInsecureRepositories \\\"true\\\";\" | tee -a /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":57,"context_line":"    if [[ \"${DIB_DISTRIBUTION_MIRROR_VERIFY_HTTPS}\" \u003d\u003d \"0\" \u0026\u0026 ${DIB_DISTRIBUTION_MIRROR} \u003d~ \"https:\" ]]; then"},{"line_number":58,"context_line":"        echo \"Acquire::https::Verify-Peer \\\"false\\\";\" | tee -a /etc/apt/apt.conf.d/95allow-unauthenticated"},{"line_number":59,"context_line":"    fi"},{"line_number":60,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":2,"id":"a47180cd_25b7b3bf","line":59,"in_reply_to":"3caa084f_54a03c7e","updated":"2026-01-30 14:09:40.000000000","message":"Done","commit_id":"d78d952de6adbdb05d4711756158777dcba3b5a0"}]}