Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid excessive use of FTP #3577

Open
wants to merge 2 commits into
base: testing
Choose a base branch
from

Conversation

ChrysoliteAzalea
Copy link

@ChrysoliteAzalea ChrysoliteAzalea commented Nov 5, 2022

Hello everyone! Today, I've looked at the woof-CE source code, and found that it excessively uses insecure protocols that don't verify the integrity of received data and therefore vulnerable to malicious injections from untrusted networks. I would like to avoid that, because woof-CE deals with very sensitive software code (such as the kernel).

Copy link
Contributor

@dimkr dimkr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Please roll back changes that have mo security implications, like changes to comments
  2. Without a script that checks that every HTTP->HTTPS URL both supports HTTPS and has a valid (= not self-signed) certificate, this PR is super dangerous

@dimkr
Copy link
Contributor

dimkr commented Nov 5, 2022

Word of caution: at some point I tried to remove the --no-check-certificate in

wget -P ${DOWNLOAD_DIR} --no-check-certificate "${URL}"
, but it looks like in some cases, woof-CE uses HTTPS URLs with broken certificates.

@ChrysoliteAzalea
Copy link
Author

OK, I've got that. I think I'll leave all http:// links intact for some time, and only change the ftp:// and git:// links (there is a **git:// link that points to GitHub, that supports HTTPS), because FTP is a really old and insecure protocol.

@dimkr
Copy link
Contributor

dimkr commented Nov 5, 2022

AFAIK git:// is plaintext too

@ChrysoliteAzalea ChrysoliteAzalea changed the title Avoid extensive use of HTTP and FTP protocols Avoid extensive use of FTP Nov 5, 2022
@ChrysoliteAzalea
Copy link
Author

OK, all git:// and ftp:// were switched to https://. Also, I've switched some http:// to https://, and removed all mirrors I was not sure about.

@ChrysoliteAzalea ChrysoliteAzalea changed the title Avoid extensive use of FTP Avoid excessive use of FTP Nov 5, 2022
@ChrysoliteAzalea
Copy link
Author

Also, as far as I checked, archive.ubuntu.com doesn't support HTTPS, so in that case, HTTP is the only option.

I'm also researching the possibility of building a Puppy distribution from user's local sources, so it could be built without active Internet connection.

@dimkr
Copy link
Contributor

dimkr commented Nov 6, 2022

I'm also researching the possibility of building a Puppy distribution from user's local sources, so it could be built without active Internet connection.

If you use file:// URLs, it will mostly work. There will be some exceptions (like petbuilds, the ad blocker's pinstall.sh, etc').

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants