On Sun, May 27, 2018 at 2:21 AM, Kang-Che Sung <explore...@gmail.com> wrote:
> On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko
> <vda.li...@googlemail.com> wrote:
>> wget should work for common use cases.
>> Such as downloading sources of kernels, gcc and such.
>> From build scripts, not only by hand.
>> Without having to modify said scripts.
>> Your patch breaks that.
>> NAK.
>> I don't care that security people are upset.
>> They are paranoid, it's part of their profession.
>> It does not mean everybody else have to be as paranoid.
>> If you have a patch which adds actual cert checking
>> and thus does not introduce regressions, please post it.
> I think I need to point out that in usability perspective, BusyBox's current
> behaviour is not ideal. It should give a runtime warning that certificate
> checks are skipped, instead of pass it silently.

I'll accept such patch.

> Of course, it would be better
> if actual certificate check is implemented, but if builder disables it (for
> binary size or simplicity), there should be a runtime warning so that 
> usability
> for secure people won't be compromised.

Sure, it'll be wonderful if more people hack on TLS code, improving it.
busybox mailing list

Reply via email to