On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko
<vda.li...@googlemail.com> wrote:
> wget should work for common use cases.
> Such as downloading sources of kernels, gcc and such.
> From build scripts, not only by hand.
> Without having to modify said scripts.
> Your patch breaks that.
> NAK.
> I don't care that security people are upset.
> They are paranoid, it's part of their profession.
> It does not mean everybody else have to be as paranoid.
> If you have a patch which adds actual cert checking
> and thus does not introduce regressions, please post it.

I think I need to point out that in usability perspective, BusyBox's current
behaviour is not ideal. It should give a runtime warning that certificate
checks are skipped, instead of pass it silently. Of course, it would be better
if actual certificate check is implemented, but if builder disables it (for
binary size or simplicity), there should be a runtime warning so that usability
for secure people won't be compromised.
busybox mailing list

Reply via email to