On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko <vda.li...@googlemail.com> wrote: > wget should work for common use cases. > Such as downloading sources of kernels, gcc and such. > From build scripts, not only by hand. > Without having to modify said scripts. > Your patch breaks that. > NAK. > > I don't care that security people are upset. > They are paranoid, it's part of their profession. > It does not mean everybody else have to be as paranoid. > > If you have a patch which adds actual cert checking > and thus does not introduce regressions, please post it. >
I think I need to point out that in usability perspective, BusyBox's current behaviour is not ideal. It should give a runtime warning that certificate checks are skipped, instead of pass it silently. Of course, it would be better if actual certificate check is implemented, but if builder disables it (for binary size or simplicity), there should be a runtime warning so that usability for secure people won't be compromised. _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
