On 05/27/2018 11:58 AM, Eli Schwartz wrote: > It's unacceptable that for something which you see as primarily useful > in downloading very important source code, you simply don't care that > the source code may be compromised by a MITMed attack. > This is incredibly terrible logic, your cross-compiler is now infected > with malicious code. The purpose of compiling code is *usually* to use > it, which means that wherever you use that code, you're no longer in a > QEMU sandbox, and whichever real box you use it on, can now say hello to > unlimited arbitrary code execution.
By the way, *this would be perfectly fine* if it logged warnings when you did it. Users would then know that they need to take extra precautions, like validating PGP signatures. Rather than assuming that the S in HTTPS actually means something to busybox. ... Speaking with my Arch Linux maintainer hat on, I'm disabling WGET_HTTPS until a patch is released which adds said warnings. I won't demand that busybox wget learn to *check* certificates, though obviously I would appreciate such functionality. -- Eli Schwartz Bug Wrangler and Trusted User _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
