Asterisk downloads a lot of external stuff while configuring and installing - via HTTP - for example sound files, Digium modules, and the PJProject. These downloads are guarded by checksum/hashes which are - not stored within the Asterisk tarball but - retrieved from the same source as the external stuff.
Therefore, those hashes cannot be deemed secure and do not qualify to authenticate those resources. Currently, the guards are only about detecting incomplete downloads. Asterisk does not use a "latest" version of external stuff. Instead, each Asterisk release uses specific versions (e.g. the file sounds/Makefile). Therefore, the hashes are known when the Asterisk tarball is created. Consequently, what about including those hashes into the Asterisk tarball itself? That way, incomplete downloads are still detected. Furthermore, downloads are authenticated and there is no need to download external stuff via HTTPs. I am asking because HTTPs can mess (and does already, see <https://issues.asterisk.org/jira/browse/ASTERISK-27665>) configuring and installing of Asterisk. Sounds like a job for George, doesn't it? -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
