[PATCH v3] treewide: switch to HTTPS by default

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Aug 27 06:58:01 EDT 2020


On 25-08-20, Paul Spooren wrote:
> From: Petr Štetiar <ynezz at true.cz>
> 
> As there is now wolfSSL included by default due to SAE/WPA3 we can
> finally switch to TLS/SSL in other parts as well.

The commit message needs improvement, especially "treewide: switch to
HTTPS by default".  What is switched to HTTPS exactly?  It could be source
download URL, package download URL on the device, package download URL on
the imagebuilder...  What parts of OpenWrt are expected to be impacted by
this?

Other comments below:

> --- a/include/target.mk
> +++ b/include/target.mk
> @@ -13,13 +13,41 @@ __target_inc=1
>  DEVICE_TYPE?=router
>  
>  # Default packages - the really basic set
> -DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg netifd fstools uclient-fetch logd urandom-seed urngd
> +DEFAULT_PACKAGES:=\
> +	base-files \
> +	busybox \
> +	ca-bundle \
> +	dropbear \
> +	fstools \
> +	libc \
> +	libgcc \
> +	logd \
> +	mtd \
> +	netifd \
> +	opkg \
> +	uci \
> +	uclient-fetch \
> +	urandom-seed \
> +	urngd

This is hard to read, please drop the cosmetic changes or move them to a
separate commit.

Also, it seems it's missing the actual change, i.e. libustream-wolfssl?

> --- a/include/version.mk
> +++ b/include/version.mk
> @@ -32,7 +32,7 @@ VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
>  VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION))
>  
>  VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
> -VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/snapshots)
> +VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/snapshots)
>  
>  VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
>  VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

VERSION_REPO needs to be updated as well in package/base-files/image-config.in

It's not used by default (because it's guarded by IMAGEOPT and VERSIONOPT)
but it can be used to customize the download URL.  So it's more logical if
it starts with the same value as the default download URL.

Also, several scripts will need adaptation:

- makebranch.sh in maintainer-tools

- maketag.sh in maintainer-tools.  This one should be adapted carefully so
  that it still works for 19.07.X.

Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200827/d8b6dc24/attachment.sig>


More information about the openwrt-devel mailing list