[asterisk-dev] Authenticated downloads of external stuff?
Alexander Traud
pabstraud at compuserve.com
Sat Feb 10 07:29:27 CST 2018
Asterisk downloads a lot of external stuff while configuring and
installing - via HTTP - for example sound files, Digium modules, and the
PJProject. These downloads are guarded by checksum/hashes which are
- not stored within the Asterisk tarball but
- retrieved from the same source as the external stuff.
Therefore, those hashes cannot be deemed secure and do not qualify to
authenticate those resources. Currently, the guards are only about
detecting incomplete downloads.
Asterisk does not use a "latest" version of external stuff. Instead,
each Asterisk release uses specific versions (e.g. the file
sounds/Makefile). Therefore, the hashes are known when the Asterisk
tarball is created. Consequently, what about including those hashes into
the Asterisk tarball itself? That way, incomplete downloads are still
detected. Furthermore, downloads are authenticated and there is no need
to download external stuff via HTTPs.
I am asking because HTTPs can mess (and does already, see
<https://issues.asterisk.org/jira/browse/ASTERISK-27665>) configuring
and installing of Asterisk. Sounds like a job for George, doesn't it?
More information about the asterisk-dev
mailing list