Re: [yocto-security] [PATCH] busybox: use openssl for TLS connections whenever possible

Andre McCurdy

On Wed, Apr 21, 2021 at 2:22 AM Shachar Menashe <shachar@...> wrote:
On Tue, Apr 20, 2021 at 1:46 PM Shachar Menashe <shachar@...> wrote:

Last time we talked about this I thought we would need to change something in openssl build settings to make the openssl binary get built just for this solution, and that was what got rejected.
But actually now I see (or perhaps it got changed) that the openssl binary is built anyways, in any build that already relies on openssl.
So my suggestion is to enable this feature. Like I said in builds with openssl it will make everything more secure in a transparent manner, and in builds without openssl it will display a warning just like today.
I wouldn't consider it a hacky solution since this is the official solution for this issue.

It's very clearly a hack. Maybe it's the "official solution" for
supporting https with busybox wget, but OE has a wider scope - we're
not limited to busybox wget if a better overall solution is available.

This is also exacerbated due to the fact that there are no other alternatives for secure download from CLI (ex. the sato build doesn't contain the "curl" standalone binary)

I don't see an issue with adding curl to any OE reference image which
needs an https client.

OK, so do you suggest adding curl and removing wget? (that would be a patch with a configuration change to busybox)
Yes, sounds good to me.

Join to automatically receive all group messages.