Hi all, Thanks for finding and reporting the issue I will add a license guard and scout for all other binary files ASAP
Best regards Alin -----Original Message----- From: Tomek CEDRO <to...@cedro.info> Sent: den 15 maj 2022 23:40 To: dev@nuttx.apache.org Subject: Re: Add license Kconfig for 3rd party binary blobs? On Sun, May 15, 2022 at 10:35 PM Nathan Hartman wrote: > On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO wrote: > > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote: > > > I noticed that we are downloading a 3rd party precompiled library, > > > libphy62xxble.a from > > > https://urldefense.com/v3/__http://www.phyplusinc.com__;!!JmoZiZGB > > > v3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCnrDoIr5N3A2Goa59Tm0jb4SbR > > > x7PIutQJqv22asvg2yg4SY2iw$ . (One of the Linux build tests on > > > PR-6266 failed because curl failed to download it.) > > > > > > This download is done in arch/arm/src/phy62xx/Make.defs: > > > > > > if [ ! -f libphy62xxble.a ]; then \ echo "############download lib > > > form server############"; \ curl -L -o libphy62xxble.a > > > https://urldefense.com/v3/__http://www.phyplusinc.com/phyplus/libp > > > hy62xxble.a__;!!JmoZiZGBv3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCn > > > rDoIr5N3A2Goa59Tm0jb4SbRx7PIutQJqv22asvg2wMFha_gw$ ; \ cp -a > > > libphy62xxble.a ../../../staging; \ else \ echo "############file > > > exist############"; \ fi \ > > > > > > Should we add a new item to Kconfig -> License Setup? > > > For example: > > > [ ] Use components that include 3rd party binary objects > > > > This is a good catch! No Open-Source project should silently include > > external closed-source binary blobs from internet. > > > Yes, this is what I'm getting at. > > If we allow this at all, it should definitely be gated behind a > "Licensing" Kconfig that is OFF by default. > > More below: > > > Not to mention insecure HTTP and no signature / certificate / > > checksum residing in the project for download verification. This is > > a serious security issue. > > If we allow this at all, there should be at least a basic mitigation: > (1) The SHA-512 of the known-legitimate file should be written in > arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is > initially saved to an alternate name, e.g., > libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is > computed and compared to the known-legitimate SHA-512. If there is a > discrepancy then the build is aborted and the user is left to check > what happened. If the file SHA-512 is verified then the file is > renamed to its correct name. > > Nathan Exactly :-) `sha512 -c sum filename` works on BSD like a charm and status can be checked with `echo $?` :-) Also `curl --hostpubsha256` can be used here to verify the server public certificate :-) --hostpubsha256 <sha256> (SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash of the remote host's public key. Curl will refuse the connection with the host unless the hashes match. Example: curl --hostpubsha256 NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= https://urldefense.com/v3/__sftp://example.com/__;!!JmoZiZGBv3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCnrDoIr5N3A2Goa59Tm0jb4SbRx7PIutQJqv22asvg2zfJiCpKA$ See also --hostpubmd5. Added in 7.80.0. -- CeDeROM, SQ7MHZ, https://urldefense.com/v3/__http://www.tomek.cedro.info__;!!JmoZiZGBv3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCnrDoIr5N3A2Goa59Tm0jb4SbRx7PIutQJqv22asvg2zszpH-cg$
