Hello, > The justification for including HTTPS in the first place: > https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74 > > "my small automatic tooling to build cross-compilers from sources no > longer works, I need to additionally keep a local copy of ~4 megabyte > source tarball of a SSL library and ~2 megabyte source of wget, need to > compile and built both before I can download anything. All this despite > the fact that the build is done in a QEMU sandbox on a machine with > absolutely nothing worth stealing, so I don't care if someone would go > to a lot of trouble to intercept my HTTPS download to send me an > altered kernel tarball" > > This is incredibly terrible logic, your cross-compiler is now infected > with malicious code. The purpose of compiling code is *usually* to use > it, which means that wherever you use that code, you're no longer in a > QEMU sandbox, and whichever real box you use it on, can now say hello to > unlimited arbitrary code execution.
Well, I see it as "some servers no longer allow to download through HTTP because they redirect to HTTPS first, so I need a tool which speaks SSL". In this case, I see the reasoning behind that comment is acceptable. Cheers, Xabier Oneca_,,_ _______________________________________________ busybox mailing list email@example.com http://lists.busybox.net/mailman/listinfo/busybox