[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-dev
Subject: Re: [asterisk-dev] Authenticated downloads of external stuff?
From: Alexander Traud <pabstraud () compuserve ! com>
Date: 2018-02-17 12:49:00
Message-ID: CFEB0DC3-4BE6-447E-B58A-0036E7E9C2F4 () compuserve ! com
[Download RAW message or body]
> The external modules might be problematic since their versions are
> only tied to major Asterisk releases.
Upps. Did not know that. However, that part does not work in FreeBSD at
all. And I do not use it in Ubuntu either. Consequently, it does nobody
prevent to secure those other parts.
As long-term solution, one could use signed downloads for those external
modules, and place a common public key into the tarball. That would
raise the dependencies only of the external modules (to OpenPGP [1] or
OpenSSL [2] for example). Even that could stay optional for the curious.
[1] <http://stackoverflow.com/q/30699989>
[2] <http://www.bradfordembedded.com/2016/06/openssl-file-signing>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic