[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wget bootstrapping problem
|
From: |
Tim Rühsen |
|
Subject: |
Re: Wget bootstrapping problem |
|
Date: |
Wed, 6 May 2020 10:20:48 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 |
On 05.05.20 03:14, Bruno Haible wrote:
> Paul Eggert wrote:
>>> We could switch the order such that Wget is the default and rsync is used
>>> as a
>>> fallback
>>
>> That sounds better than reverting, no? Perhaps you could propose a patch.
>
> No. From the point of security, "wget as default and rsync as fallback" is
> just as bad as "rsync always". Why? [1] Look at the SSLv3 / TLSv1.0 history.
> People believed that "SSLv3 is insecure, but since it's only used as a
> fallback, it doesn't matter". Until someone discovered a way to trick the
> fallback to be activated always [2]...
>
> rsync is not secure. We should not enable it again.
>
> Regarding the bootstrapping problem, why not build wget in two steps:
> 1. Bootstrap with no PO files. This produces a non-internationalized wget
> binary.
> 2. Bootstrap again, using the wget binary from step 1 to fetch the PO files.
>
> The 'bootstrap' script has an option '--skip-po'. The gnulib-tool script
> should behave the same way if you don't pass the --po-base=... option to it.
>
> If necessary, we can add another option to gnulib-tool to avoid fetching PO
> files and/or to avoid the use of wget.
I fully agree with Bruno.
We could also check for an existing wget in bootstrap.conf and set
SKIP_PO=1 if not found. While it 'just works' it also disguises the real
problem and the user might get something unexpected
(non-internationalized wget).
Regards, Tim
>
> Bruno
>
> [1] https://en.wikipedia.org/wiki/Downgrade_attack
> [2] https://en.wikipedia.org/wiki/POODLE
>
>
signature.asc
Description: OpenPGP digital signature