Downloading the package source from an unsecure locations and using an insecure hash (md5) would allow a malicious proxy to inject vulnerabilities. The build system would be unable to detect it.
Signed-off-by: Bruno Thomsen <b...@kamstrup.com> --- rules/strongswan.make | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 9a9dd40..033deeb 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -21,7 +21,7 @@ STRONGSWAN_VERSION := 5.3.2 STRONGSWAN_MD5 := fab014be1477ef4ebf9a765e10f8802c STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 -STRONGSWAN_URL := http://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) +STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) STRONGSWAN_SOURCE := $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) STRONGSWAN_DIR := $(BUILDDIR)/$(STRONGSWAN) STRONGSWAN_LICENSE := GPL -- 2.1.4 -- ptxdist mailing list ptxdist@pengutronix.de