On Fri, May 25, 2018 at 12:50 AM, Jakub Jirutka wrote:
> Internal TLS code (FEATURE_WGET_HTTPS) does not implement validation
> of the server's certificate. It is documented in the code, but not
> even mentioned in the --help message, so users typically don't know
> about this behaviour. That's
On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko
wrote:
> wget should work for common use cases.
> Such as downloading sources of kernels, gcc and such.
> From build scripts, not only by hand.
> Without having to modify said scripts.
> Your patch breaks that.
> NAK.
>
> I don't care that security p
Good evening Denys,
I agree with you that this patch is unacceptable, I also agree that
everyone who is complaining about the situation should send patches, but
I strongly disagree that it is valid to break security to keep "common
use cases" working. Using security-techniques like https should ne
wget should work for common use cases.
Such as downloading sources of kernels, gcc and such.
From build scripts, not only by hand.
Without having to modify said scripts.
Your patch breaks that.
NAK.
I don't care that security people are upset.
They are paranoid, it's part of their profession.
It d
//config: If you still think this is unacceptable, send patches.
That’s exactly what I did.
http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
Jakub
On 2018-05-26 17:54, Denys Vlasenko wrote:
On Sat, May 26, 2018 at 5:39 PM, wrote:
That's a crime against security!
Sa
On Fri, May 11, 2018 at 7:32 PM, James Byrne
wrote:
> Back in 2007, bb_simple_perror_msg() was introduced to allow for a lower
> overhead call to bb_perror_msg() when only a string was being printed
> with no parameters. This saves space because it avoids the overhead of a
> call to a variadic fun
On Sat, May 26, 2018 at 5:39 PM, wrote:
>>> That's a crime against security!
>>
>> Say what?
>
> That’s a hyperbole. The thing is that when you don’t verify the peer’s
> certificate, then you’re vulnerable to MitM attack with fake certificate
> injection. The whole SSL/TLS is totally useless in t
That's a crime against security!
Say what?
That’s a hyperbole. The thing is that when you don’t verify the peer’s
certificate, then you’re vulnerable to MitM attack with fake certificate
injection. The whole SSL/TLS is totally useless in that moment. It’s
more or less like putting the door’