-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid excessive use of FTP #3577
base: testing
Are you sure you want to change the base?
Avoid excessive use of FTP #3577
Conversation
65407e8
to
faeb8bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Please roll back changes that have mo security implications, like changes to comments
- Without a script that checks that every HTTP->HTTPS URL both supports HTTPS and has a valid (= not self-signed) certificate, this PR is super dangerous
Word of caution: at some point I tried to remove the
|
faeb8bd
to
cab0465
Compare
OK, I've got that. I think I'll leave all http:// links intact for some time, and only change the ftp:// and git:// links (there is a **git:// link that points to GitHub, that supports HTTPS), because FTP is a really old and insecure protocol. |
AFAIK git:// is plaintext too |
30ebe0c
to
772dc42
Compare
OK, all git:// and ftp:// were switched to https://. Also, I've switched some http:// to https://, and removed all mirrors I was not sure about. |
Also, as far as I checked, archive.ubuntu.com doesn't support HTTPS, so in that case, HTTP is the only option. I'm also researching the possibility of building a Puppy distribution from user's local sources, so it could be built without active Internet connection. |
If you use file:// URLs, it will mostly work. There will be some exceptions (like petbuilds, the ad blocker's pinstall.sh, etc'). |
Hello everyone! Today, I've looked at the woof-CE source code, and found that it excessively uses insecure protocols that don't verify the integrity of received data and therefore vulnerable to malicious injections from untrusted networks. I would like to avoid that, because woof-CE deals with very sensitive software code (such as the kernel).