[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] wget: don't silently ignore certificate validation
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2018-05-28 10:50:44
Message-ID: CAK1hOcPb0e4ZQyhr+SC+Huo5mTi7hH_7c-=ap_zvbyi7sCgaGg () mail ! gmail ! com
[Download RAW message or body]
On Sun, May 27, 2018 at 2:21 AM, Kang-Che Sung <explorer09@gmail.com> wrote:
> On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko
> <vda.linux@googlemail.com> wrote:
>> wget should work for common use cases.
>> Such as downloading sources of kernels, gcc and such.
>> From build scripts, not only by hand.
>> Without having to modify said scripts.
>> Your patch breaks that.
>> NAK.
>>
>> I don't care that security people are upset.
>> They are paranoid, it's part of their profession.
>> It does not mean everybody else have to be as paranoid.
>>
>> If you have a patch which adds actual cert checking
>> and thus does not introduce regressions, please post it.
>
> I think I need to point out that in usability perspective, BusyBox's current
> behaviour is not ideal. It should give a runtime warning that certificate
> checks are skipped, instead of pass it silently.
I'll accept such patch.
> Of course, it would be better
> if actual certificate check is implemented, but if builder disables it (for
> binary size or simplicity), there should be a runtime warning so that usability
> for secure people won't be compromised.
Sure, it'll be wonderful if more people hack on TLS code, improving it.
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic