On Tue, Apr 20, 2021 at 10:23 AM Randy MacLeod
<randy.macl...@windriver.com> wrote:
>
> Add the oe-core list where patches are usually discussed.
>
> On 2021-04-17 10:41 a.m., Shachar Menashe wrote:
>
> This adds proper TLS verification to wget
>
> I think you should add some of the comments you made in the bugzilla here:
>
> ---
>
> By enabling the busybox feature: WGET_OPENSSL it means that in builds WITH
> openssl (ex. sato)
> the issue will be completely fixed, and in builds WITHOUT openssl, busybox
> will fallback
> to using the internal (insecure) client which will print out a message
> "note: TLS certificate validation not implemented" Note that busybox does not
> rely in any way on the OpenSSL library
> (it just executes the standalone binary, if it is found) so
> we shouldn't have linkage issues is CONFIG_FEATURE_WGET_OPENSSL is enabled
> but OpenSSL is not getting built.
>
> ---
>
> Thanks for the explanation.
> We could add a RSUGGESTS make the coupling more clear:
>
> http://docs.yoctoproject.org/ref-manual/variables.html?highlight=rrecommends#term-RSUGGESTS
>
> I don't use that feature at all and it's not widely used in oe-core so
> hopefully someone
> opinionated will reply and help us out.
>
> ../Randy
> Signed-off-by: Shachar Menashe <shac...@vdoo.com>
> ---
> meta/recipes-core/busybox/busybox.inc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/busybox/busybox.inc
> b/meta/recipes-core/busybox/busybox.inc
> index 47fcb59302..8f274bd263 100644
> --- a/meta/recipes-core/busybox/busybox.inc
> +++ b/meta/recipes-core/busybox/busybox.inc
> @@ -77,6 +77,7 @@ def features_to_busybox_settings(d):
> busybox_cfg(bb.utils.contains('DISTRO_FEATURES', 'ipv4', True, False,
> d), 'CONFIG_FEATURE_IFUPDOWN_IPV4', cnf, rem)
> busybox_cfg(bb.utils.contains('DISTRO_FEATURES', 'ipv6', True, False,
> d), 'CONFIG_FEATURE_IFUPDOWN_IPV6', cnf, rem)
> busybox_cfg(bb.utils.contains_any('DISTRO_FEATURES', 'bluetooth wifi',
> True, False, d), 'CONFIG_RFKILL', cnf, rem)
> + busybox_cfg(True, 'CONFIG_FEATURE_WGET_OPENSSL', cnf, rem)
> return "\n".join(cnf), "\n".join(rem)
>
> # X, Y = ${@features_to_busybox_settings(d)}
> --
> 2.17.1
>
This was discussed on the list last year. The conclusion was that
FEATURE_WGET_HTTPS should be disabled by default (ie giving anyone who
needs to fetch from https URLs to clear hint that that should be using
full featured wget or curl) rather than enabling a hacky solution to
have busybox call out to the openssl command line tool. Has something
changed since then?
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150716):
https://lists.openembedded.org/g/openembedded-core/message/150716
Mute This Topic: https://lists.openembedded.org/mt/82240467/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
