Hello,
> The justification for including HTTPS in the first place:
> https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
>
> "my small automatic tooling to build cross-compilers from sources no
> longer works, I need to additionally keep a local c
> On May 24, 2018, at 9:54 AM, Eli Schwartz wrote:
>
> Currently busybox distributes the file
> https://busybox.net/downloads/busybox-1.28.4.tar.bz2.sign which is an
> armored plaintext file containing inline md5sums/sha1sums in a sea of
> text which cannot be easily parsed by e.g. distro packa
Internal TLS code (FEATURE_WGET_HTTPS) does not implement verification
of the server's certificate. It is documented in the code, but not
even mentioned in the --help message, so users typically don't know
about this behaviour. That's a crime against security!
This patch adds a warning message;
The story just broke earlier this year how a casino hotel "smart
thermometer" in the fish tank was used as a backdoor to attack the rest
of their network.
If a smart device running busybox is programmed to automatically check
for firmware updates, the designers might expect HTTPS to be a valid
Denys Vlasenko wrote:
wget should work for common use cases.
Such as downloading sources of kernels, gcc and such.
From build scripts, not only by hand.
Without having to modify said scripts.
Your patch breaks that.
NAK.
I don't care that security people are upset.
They are paranoid, it's part
Denys,
Most common use case for https is to give some sort of guarantee that
you actually get what you think you get or that you get from who you
think you get it from. That is what most people expect when downloading
from https. If you don't care about verifying that, then the common use
case is
On 05/27/2018 11:58 AM, Eli Schwartz wrote:
> It's unacceptable that for something which you see as primarily useful
> in downloading very important source code, you simply don't care that
> the source code may be compromised by a MITMed attack.
> This is incredibly terrible logic, your cross-compi
On 05/26/2018 01:34 PM, Denys Vlasenko wrote:
> wget should work for common use cases.
> Such as downloading sources of kernels, gcc and such.
> From build scripts, not only by hand.
> Without having to modify said scripts.
> Your patch breaks that.
> NAK.
>
> I don't care that security people are
Hi Denys,
On 26/05/18 17:21, Denys Vlasenko wrote:
The patch is whitespace damaged, please send as attachment next time.
I sent with 'git send-email' as I thought that would avoid any damage,
but clearly it didn't work. Will send as an attachment next time.
On Fri, May 11, 2018 at 7:32 PM, J