[Asterisk-code-review] BuildSystem: Allow fetch of PJProject without trust anchors. (asterisk[master])

Alexander Traud asteriskteam at digium.com
Mon Feb 12 05:48:28 CST 2018


Alexander Traud has posted comments on this change. ( https://gerrit.asterisk.org/8181 )

Change subject: BuildSystem: Allow fetch of PJProject without trust anchors.
......................................................................


Patch Set 1:

HTTPs does not add any security here. Furthermore, this is a design choice of FreeBSD not to include any list of trust anchors. It is the choice of the user to add a trust anchor. Consequently there won’t be a ‘fix’ from FreeBSD and there have been no fix for years – this is not a recent issue (please, see the issue report). Finally, that install script is going to change in the future and split-up into installing just build+essential and all dependencies. I see no reason why curl or wget should get an essential dependency.

Asterisk downloads no other external part via HTTPs. It was just PJProject, only because Teluu got too much requests, and GitHub does not offer a choice. Additionally, the requirements of GitHub are quite high. There might be more (embedded) platforms affected by this.

HTTPs adds no additional security when signed checksums are included in the tarball one day. It is a waste of resources in case of Asterisk.


-- 
To view, visit https://gerrit.asterisk.org/8181
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I573308fa11a69d28480b669971b5bfe66476fa60
Gerrit-Change-Number: 8181
Gerrit-PatchSet: 1
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Corey Farrell <git at cfware.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Comment-Date: Mon, 12 Feb 2018 11:48:28 +0000
Gerrit-HasComments: No
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180212/a64522ec/attachment.html>


More information about the asterisk-code-review mailing list