On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote: > I noticed that we are downloading a 3rd party precompiled library, > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests > on PR-6266 failed because curl failed to download it.) > > This download is done in arch/arm/src/phy62xx/Make.defs: > > if [ ! -f libphy62xxble.a ]; then \ > echo "############download lib form server############"; \ > curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; > \ > cp -a libphy62xxble.a ../../../staging; \ > else \ > echo "############file exist############"; \ > fi \ > > Should we add a new item to Kconfig -> License Setup? > For example: > [ ] Use components that include 3rd party binary objects
This is a good catch! No Open-Source project should silently include external closed-source binary blobs from internet. Not to mention insecure HTTP and no signature / certificate / checksum residing in the project for download verification. This is a serious security issue. In perfect world this "allow 3rd party binaries" would also block downloading and linking such objects when disabled :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
