[prev in list] [next in list] [prev in thread] [next in thread] 

List:       asterisk-dev
Subject:    Re: [asterisk-dev] Authenticated downloads of external stuff?
From:       Alexander Traud <pabstraud () compuserve ! com>
Date:       2018-02-17 12:49:00
Message-ID: CFEB0DC3-4BE6-447E-B58A-0036E7E9C2F4 () compuserve ! com
[Download RAW message or body]

> The external modules might be problematic since their versions are
> only tied to major Asterisk releases.

Upps. Did not know that. However, that part does not work in FreeBSD at
all. And I do not use it in Ubuntu either. Consequently, it does nobody
prevent to secure those other parts.

As long-term solution, one could use signed downloads for those external
modules, and place a common public key into the tarball. That would
raise the dependencies only of the external modules (to OpenPGP [1] or
OpenSSL [2] for example). Even that could stay optional for the curious.

[1] <http://stackoverflow.com/q/30699989>
[2] <http://www.bradfordembedded.com/2016/06/openssl-file-signing>



-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]