On 05/27/2018 11:58 AM, Eli Schwartz wrote:
> It's unacceptable that for something which you see as primarily useful
> in downloading very important source code, you simply don't care that
> the source code may be compromised by a MITMed attack.
> This is incredibly terrible logic, your cross-compiler is now infected
> with malicious code. The purpose of compiling code is *usually* to use
> it, which means that wherever you use that code, you're no longer in a
> QEMU sandbox, and whichever real box you use it on, can now say hello to
> unlimited arbitrary code execution.

By the way, *this would be perfectly fine* if it logged warnings when
you did it. Users would then know that they need to take extra
precautions, like validating PGP signatures.

Rather than assuming that the S in HTTPS actually means something to


Speaking with my Arch Linux maintainer hat on, I'm disabling WGET_HTTPS
until a patch is released which adds said warnings.

I won't demand that busybox wget learn to *check* certificates, though
obviously I would appreciate such functionality.

Eli Schwartz
Bug Wrangler and Trusted User
busybox mailing list

Reply via email to