On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO <to...@cedro.info> wrote: > > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote: > > I noticed that we are downloading a 3rd party precompiled library, > > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests > > on PR-6266 failed because curl failed to download it.) > > > > This download is done in arch/arm/src/phy62xx/Make.defs: > > > > if [ ! -f libphy62xxble.a ]; then \ > > echo "############download lib form server############"; \ > > curl -L -o libphy62xxble.a > > http://www.phyplusinc.com/phyplus/libphy62xxble.a; \ > > cp -a libphy62xxble.a ../../../staging; \ > > else \ > > echo "############file exist############"; \ > > fi \ > > > > Should we add a new item to Kconfig -> License Setup? > > For example: > > [ ] Use components that include 3rd party binary objects > > This is a good catch! No Open-Source project should silently include > external closed-source binary blobs from internet.
Yes, this is what I'm getting at. If we allow this at all, it should definitely be gated behind a "Licensing" Kconfig that is OFF by default. More below: > Not to mention insecure HTTP and no signature / certificate / checksum > residing in the project for download verification. This is a serious > security issue. If we allow this at all, there should be at least a basic mitigation: (1) The SHA-512 of the known-legitimate file should be written in arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is initially saved to an alternate name, e.g., libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is computed and compared to the known-legitimate SHA-512. If there is a discrepancy then the build is aborted and the user is left to check what happened. If the file SHA-512 is verified then the file is renamed to its correct name. Nathan
