bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wget bootstrapping problem

From: Bruno Haible
Subject: Re: Wget bootstrapping problem
Date: Tue, 05 May 2020 03:14:54 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-177-generic; KDE/5.18.0; x86_64; ; ) 
Paul Eggert wrote:
> > We could switch the order such that Wget is the default and rsync is used 
> > as a
> > fallback
> 
> That sounds better than reverting, no? Perhaps you could propose a patch.

No. From the point of security, "wget as default and rsync as fallback" is
just as bad as "rsync always". Why? [1] Look at the SSLv3 / TLSv1.0 history.
People believed that "SSLv3 is insecure, but since it's only used as a
fallback, it doesn't matter". Until someone discovered a way to trick the
fallback to be activated always [2]...

rsync is not secure. We should not enable it again.

Regarding the bootstrapping problem, why not build wget in two steps:
  1. Bootstrap with no PO files. This produces a non-internationalized wget
     binary.
  2. Bootstrap again, using the wget binary from step 1 to fetch the PO files.

The 'bootstrap' script has an option '--skip-po'. The gnulib-tool script
should behave the same way if you don't pass the --po-base=... option to it.

If necessary, we can add another option to gnulib-tool to avoid fetching PO
files and/or to avoid the use of wget.

Bruno

[1] https://en.wikipedia.org/wiki/Downgrade_attack
[2] https://en.wikipedia.org/wiki/POODLE
reply via email to
[Prev in Thread] Current Thread [Next in Thread]