On Wed, May 6, 2020 at 4:22 AM Tim Rühsen <tim.rueh...@gmx.de> wrote: > > On 05.05.20 03:14, Bruno Haible wrote: > > Paul Eggert wrote: > >>> We could switch the order such that Wget is the default and rsync is used > >>> as a > >>> fallback > >> > >> That sounds better than reverting, no? Perhaps you could propose a patch. > > > > No. From the point of security, "wget as default and rsync as fallback" is > > just as bad as "rsync always". Why? [1] Look at the SSLv3 / TLSv1.0 history. > > People believed that "SSLv3 is insecure, but since it's only used as a > > fallback, it doesn't matter". Until someone discovered a way to trick the > > fallback to be activated always [2]... > > > > rsync is not secure. We should not enable it again. > > > > Regarding the bootstrapping problem, why not build wget in two steps: > > 1. Bootstrap with no PO files. This produces a non-internationalized wget > > binary. > > 2. Bootstrap again, using the wget binary from step 1 to fetch the PO > > files. > > > > The 'bootstrap' script has an option '--skip-po'. The gnulib-tool script > > should behave the same way if you don't pass the --po-base=... option to it. > > > > If necessary, we can add another option to gnulib-tool to avoid fetching PO > > files and/or to avoid the use of wget. > > I fully agree with Bruno. > > We could also check for an existing wget in bootstrap.conf and set > SKIP_PO=1 if not found. While it 'just works' it also disguises the real > problem and the user might get something unexpected > (non-internationalized wget).
How about a --disable-translation configure option similar to --disable-docs. That should get you over the bootsrap hurdle. But it assumes you have a adequate Unistring and OpenSSL. (From experience with some older systems and ransomware systems, I've found the minimum components needed to build Wget are Unistring and OpenSSL: https://github.com/noloader/Build-Scripts/tree/master/bootstrap). Jeff
