[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wget bootstrapping problem
From: |
Bruno Haible |
Subject: |
Re: Wget bootstrapping problem |
Date: |
Tue, 05 May 2020 03:14:54 +0200 |
User-agent: |
KMail/5.1.3 (Linux/4.4.0-177-generic; KDE/5.18.0; x86_64; ; ) |
Paul Eggert wrote:
> > We could switch the order such that Wget is the default and rsync is used
> > as a
> > fallback
>
> That sounds better than reverting, no? Perhaps you could propose a patch.
No. From the point of security, "wget as default and rsync as fallback" is
just as bad as "rsync always". Why? [1] Look at the SSLv3 / TLSv1.0 history.
People believed that "SSLv3 is insecure, but since it's only used as a
fallback, it doesn't matter". Until someone discovered a way to trick the
fallback to be activated always [2]...
rsync is not secure. We should not enable it again.
Regarding the bootstrapping problem, why not build wget in two steps:
1. Bootstrap with no PO files. This produces a non-internationalized wget
binary.
2. Bootstrap again, using the wget binary from step 1 to fetch the PO files.
The 'bootstrap' script has an option '--skip-po'. The gnulib-tool script
should behave the same way if you don't pass the --po-base=... option to it.
If necessary, we can add another option to gnulib-tool to avoid fetching PO
files and/or to avoid the use of wget.
Bruno
[1] https://en.wikipedia.org/wiki/Downgrade_attack
[2] https://en.wikipedia.org/wiki/POODLE
- Wget bootstrapping problem, Darshit Shah, 2020/05/04
- Re: Wget bootstrapping problem, Paul Eggert, 2020/05/04
- Re: Wget bootstrapping problem, darnir, 2020/05/04
- Re: Wget bootstrapping problem,
Bruno Haible <=
- Re: Wget bootstrapping problem, Tim Rühsen, 2020/05/06
- Re: Wget bootstrapping problem, Bruno Haible, 2020/05/06
- Re: Wget bootstrapping problem, Tim Rühsen, 2020/05/07
- Re: Wget bootstrapping problem, Darshit Shah, 2020/05/07
- Re: Wget bootstrapping problem, Bruno Haible, 2020/05/07
- Re: Wget bootstrapping problem, Jeffrey Walton, 2020/05/06