Re: [PATCH 1/1] libbb: reduce the overhead of single parameter bb_error_msg() calls

2018-05-27 Thread James Byrne
Hi Denys, On 26/05/18 17:21, Denys Vlasenko wrote: The patch is whitespace damaged, please send as attachment next time. I sent with 'git send-email' as I thought that would avoid any damage, but clearly it didn't work. Will send as an attachment next time. On Fri, May 11, 2018 at 7:32 PM,

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-27 Thread Ralf Friedl
Denys Vlasenko wrote: wget should work for common use cases. Such as downloading sources of kernels, gcc and such. From build scripts, not only by hand. Without having to modify said scripts. Your patch breaks that. NAK. I don't care that security people are upset. They are paranoid, it's part

[PATCH] wget: print warning when internal TLS is used

2018-05-27 Thread Jakub Jirutka
Internal TLS code (FEATURE_WGET_HTTPS) does not implement verification of the server's certificate. It is documented in the code, but not even mentioned in the --help message, so users typically don't know about this behaviour. That's a crime against security! This patch adds a warning message;

Re: Please PGP-sign releases

2018-05-27 Thread Richard Yao
> On May 24, 2018, at 9:54 AM, Eli Schwartz wrote: > > Currently busybox distributes the file > https://busybox.net/downloads/busybox-1.28.4.tar.bz2.sign which is an > armored plaintext file containing inline md5sums/sha1sums in a sea of > text which cannot be easily

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-27 Thread Michael Conrad
The story just broke earlier this year how a casino hotel "smart thermometer" in the fish tank was used as a backdoor to attack the rest of their network. If a smart device running busybox is programmed to automatically check for firmware updates, the designers might expect HTTPS to be a

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-27 Thread Eli Schwartz
On 05/26/2018 01:34 PM, Denys Vlasenko wrote: > wget should work for common use cases. > Such as downloading sources of kernels, gcc and such. > From build scripts, not only by hand. > Without having to modify said scripts. > Your patch breaks that. > NAK. > > I don't care that security people

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-27 Thread Natanael Copa
Denys, Most common use case for https is to give some sort of guarantee that you actually get what you think you get or that you get from who you think you get it from. That is what most people expect when downloading from https. If you don't care about verifying that, then the common use case is

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-27 Thread Eli Schwartz
On 05/27/2018 11:58 AM, Eli Schwartz wrote: > It's unacceptable that for something which you see as primarily useful > in downloading very important source code, you simply don't care that > the source code may be compromised by a MITMed attack. > This is incredibly terrible logic, your