[PATCH] Revert "build: switch VERSION_REPO to HTTPS"

Petr Štetiar ynezz at true.cz
Wed Nov 25 05:41:14 EST 2020


Paul Spooren <mail at aparcar.org> [2020-11-24 22:29:00]:

Hi,

> Using HTTPS for opkg dramatically slows down download of packages and reload
> of indexes.

do you've such dramatic numbers handy?

> This was mostly introduced to secure the ImageBuilder. However with the
> usign signature checking ability added to ImageBuilders, this becomes
> obsolete. It is still possible to manually change feeds to HTTPS if desired,
> but the default can be HTTP.

I don't agree. From my point of view HTTPS is another protection layer and
should be enabled by default. It's our safety net against issues like
CVE-2020-7982[1] as we know, regressions are quite common in software world.

> This was already requested via IRC and accepted somewhat accepted as the
> current ustream-wolfssl implementation is broken.

If it's broken, then it should be fixed. If it's unmaintained then the package
should be disabled or removed. Disabling HTTPS is not going to fix that issue
in ustream-wolfssl package as reported in FS#3465.

-- ynezz



More information about the openwrt-devel mailing list