<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 13, 2018 at 2:31 AM, Alexander Traud <span dir="ltr"><<a href="mailto:pabstraud@compuserve.com" target="_blank">pabstraud@compuserve.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> <a href="http://downloads.asterisk.org" rel="noreferrer" target="_blank">downloads.asterisk.org</a> is an https site, so certificate auth and all<br>
> that should be verifiable.<br>
<br>
</span>Currently, Asterisk retrieves its external stuff not via HTTPs but HTTP.<br>
<br>
One approach would be to change all links to HTTPs within the Asterisk<br>
source. However, that is problematic for example in FreeBSD which comes<br>
without trust anchors. Furthermore, that approach does not use<br>
certificate pinning. Therefore, one alternative is to move the hashes<br>
into the Asterisk tarball. This gives at least the same security as<br>
certificate pining but does not increase the burden in the local<br>
configuration.<br>
<br>
Actually, this gives bullet proof downloads. The user only has to<br>
double-check the signature of the initial download, the download of the<br>
Asterisk tarball. Everything else chains up to that. The code is quite<br>
the same, just the location of the hashes move.<br>
<div class="HOEnZb"><div class="h5"><br>
<br></div></div></blockquote><div><br></div><div>Let me think about this a bit. The sounds files and pjproject I think would be fairly</div><div>straightforward because, as you've said, the versions are known when we build the</div><div>Asterisk tarball. The external modules might be problematic since their versions</div><div>are only tied to major Asterisk releases.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
<br>
--<br>
______________________________<wbr>______________________________<wbr>_________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" rel="noreferrer" target="_blank">http://lists.digium.com/<wbr>mailman/listinfo/asterisk-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span style="font-size:12.8px">George Joseph</span><br style="font-size:12.8px"><span style="font-size:12.8px">Digium, Inc. | Software Developer</span><span style="font-size:12.8px"><br>445 Jan Davis Drive NW - Huntsville, AL 35806 - US<br></span><span style="font-size:12.8px">Check us out at: </span><a href="http://www.digium.com/" rel="noreferrer" style="color:rgb(17,85,204);font-size:12.8px" target="_blank">www.digium.com</a><span style="font-size:12.8px"> & </span><a href="http://www.asterisk.org/" rel="noreferrer" style="color:rgb(17,85,204);font-size:12.8px" target="_blank">www.asterisk.org</a><br><div><br></div></div></div>
</div></div>