On Sun, May 27, 2018 at 2:21 AM, Kang-Che Sung <explore...@gmail.com> wrote: > On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko > <vda.li...@googlemail.com> wrote: >> wget should work for common use cases. >> Such as downloading sources of kernels, gcc and such. >> From build scripts, not only by hand. >> Without having to modify said scripts. >> Your patch breaks that. >> NAK. >> >> I don't care that security people are upset. >> They are paranoid, it's part of their profession. >> It does not mean everybody else have to be as paranoid. >> >> If you have a patch which adds actual cert checking >> and thus does not introduce regressions, please post it. > > I think I need to point out that in usability perspective, BusyBox's current > behaviour is not ideal. It should give a runtime warning that certificate > checks are skipped, instead of pass it silently.
I'll accept such patch. > Of course, it would be better > if actual certificate check is implemented, but if builder disables it (for > binary size or simplicity), there should be a runtime warning so that > usability > for secure people won't be compromised. Sure, it'll be wonderful if more people hack on TLS code, improving it. _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox