Re: Non-Git build might download submodules over unencrypted HTTP
On Mon, 2022-10-24 at 00:35 +0200, some-java-user-99206970363698485...@vodafonemail.de wrote: > Hello, > it looks like building LibreOffice without Git might download > submodules over unencrypted HTTP without checking authenticity or > integrity. The relevant code is here: > https://github.com/LibreOffice/core/blob/648c70ac2caf2646ee8ff49bd8d846016d289b38/Makefile.in#L263 https://gerrit.libreoffice.org/c/core/+/142025 to use https instead of http at least
Non-Git build might download submodules over unencrypted HTTP
Hello, it looks like building LibreOffice without Git might download submodules over unencrypted HTTP without checking authenticity or integrity. The relevant code is here: https://github.com/LibreOffice/core/blob/648c70ac2caf2646ee8ff49bd8d846016d289b38/Makefile.in#L263 It would probably be good to at least replace the `http://` of the URL with `https://`, but if possible it might also be good to introduce authenticity / integrity validation since the files are downloaded from mirrors (if I see that correctly). Even though I assume you only chose trustworthy mirror sites, each mirror site increases the attack surface nonetheless so an authenticity check would be useful. I am not planning to submit a pull request since I am not familiar with the build setup of LibreOffice. Hopefully that is fine for you. Kind regards
