On Tue, Apr 20, 2021 at 1:46 PM Shachar Menashe <shachar@...> wrote:

Last time we talked about this I thought we would need to change something in openssl build settings to make the openssl binary get built just for this solution, and that was what got rejected.
But actually now I see (or perhaps it got changed) that the openssl binary is built anyways, in any build that already relies on openssl.
So my suggestion is to enable this feature. Like I said in builds with openssl it will make everything more secure in a transparent manner, and in builds without openssl it will display a warning just like today.

How much does busybox size grow with this? I think we will have to add
openssl dependency on it, or else default wget behavious will be less
than ideal. right now perhaps using gnu wget is a standalone solution
but I do understand that it may not be usable in some cases.

I wouldn't consider it a hacky solution since this is the official solution for this issue.
This is also exacerbated due to the fact that there are no other alternatives for secure download from CLI (ex. the sato build doesn't contain the "curl" standalone binary)

certainly, add curl to default reference images would be fine.