On Sat, Feb 10, 2018 at 7:29 AM, Alexander Traud <[email protected]> wrote: > Asterisk downloads a lot of external stuff while configuring and > installing - via HTTP - for example sound files, Digium modules, and the > PJProject. These downloads are guarded by checksum/hashes which are > - not stored within the Asterisk tarball but > - retrieved from the same source as the external stuff. > > Therefore, those hashes cannot be deemed secure and do not qualify to > authenticate those resources. Currently, the guards are only about > detecting incomplete downloads.
Sorry, I'm not following you - why would they not be secure if they're from the same source? downloads.asterisk.org is an https site, so certificate auth and all that should be verifiable. > Asterisk does not use a "latest" version of external stuff. Instead, > each Asterisk release uses specific versions (e.g. the file > sounds/Makefile). Therefore, the hashes are known when the Asterisk > tarball is created. Consequently, what about including those hashes into > the Asterisk tarball itself? That way, incomplete downloads are still > detected. Furthermore, downloads are authenticated and there is no need > to download external stuff via HTTPs. > > I am asking because HTTPs can mess (and does already, see > <https://issues.asterisk.org/jira/browse/ASTERISK-27665>) configuring > and installing of Asterisk. Sounds like a job for George, doesn't it? Sounds interesting but... not sure if I'm sold on it being worth the effort... Help me to understand why this is important :-) -- Matthew Fredrickson Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
