[asterisk-dev] Authenticated downloads of external stuff?
Alexander Traud
pabstraud at compuserve.com
Sat Feb 17 06:49:00 CST 2018
> The external modules might be problematic since their versions are
> only tied to major Asterisk releases.
Upps. Did not know that. However, that part does not work in FreeBSD at
all. And I do not use it in Ubuntu either. Consequently, it does nobody
prevent to secure those other parts.
As long-term solution, one could use signed downloads for those external
modules, and place a common public key into the tarball. That would
raise the dependencies only of the external modules (to OpenPGP [1] or
OpenSSL [2] for example). Even that could stay optional for the curious.
[1] <http://stackoverflow.com/q/30699989>
[2] <http://www.bradfordembedded.com/2016/06/openssl-file-signing>
More information about the asterisk-dev
mailing list