[asterisk-dev] Authenticated downloads of external stuff?
Matt Fredrickson
creslin at digium.com
Mon Feb 12 16:57:05 CST 2018
On Sat, Feb 10, 2018 at 7:29 AM, Alexander Traud
<pabstraud at compuserve.com> wrote:
> Asterisk downloads a lot of external stuff while configuring and
> installing - via HTTP - for example sound files, Digium modules, and the
> PJProject. These downloads are guarded by checksum/hashes which are
> - not stored within the Asterisk tarball but
> - retrieved from the same source as the external stuff.
>
> Therefore, those hashes cannot be deemed secure and do not qualify to
> authenticate those resources. Currently, the guards are only about
> detecting incomplete downloads.
Sorry, I'm not following you - why would they not be secure if they're
from the same source? downloads.asterisk.org is an https site, so
certificate auth and all that should be verifiable.
> Asterisk does not use a "latest" version of external stuff. Instead,
> each Asterisk release uses specific versions (e.g. the file
> sounds/Makefile). Therefore, the hashes are known when the Asterisk
> tarball is created. Consequently, what about including those hashes into
> the Asterisk tarball itself? That way, incomplete downloads are still
> detected. Furthermore, downloads are authenticated and there is no need
> to download external stuff via HTTPs.
>
> I am asking because HTTPs can mess (and does already, see
> <https://issues.asterisk.org/jira/browse/ASTERISK-27665>) configuring
> and installing of Asterisk. Sounds like a job for George, doesn't it?
Sounds interesting but... not sure if I'm sold on it being worth the
effort... Help me to understand why this is important :-)
--
Matthew Fredrickson
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
More information about the asterisk-dev
mailing list