diff options
author | Boris Nagaev <bnagaev@gmail.com> | 2017-03-09 12:01:43 (GMT) |
---|---|---|
committer | Volker Diels-Grabsch <v@njh.eu> | 2017-03-12 13:07:10 (GMT) |
commit | 096c509099a9968619e53e292f20875dcfe3fde3 (patch) | |
tree | 628708ab9cbd13025361354e0326668931af8ff1 /Makefile | |
parent | b76b559f5ea40dacbb887405d6a75a4bbfc9d203 (diff) | |
download | mxe-096c509099a9968619e53e292f20875dcfe3fde3.zip mxe-096c509099a9968619e53e292f20875dcfe3fde3.tar.gz mxe-096c509099a9968619e53e292f20875dcfe3fde3.tar.bz2 |
no --no-check-certificate while updating packages
Regular downloads of packages are verified by checksums, so
--no-check-certificate doesn't compromise the build system,
but the checksums themselves are often updated with update-checksum-%
which in turn calls the regular package download mechanism, so there
is a possibility of downloading and sealing a poisoned file.
On the one hand, old systems may still rely on --no-check-certificate,
so it is not nice to completely disable it for regular downloads.
However keeping this option enabled for backup servers only is enough
to support such systems because of the fallback mechanism.
On the other hand, download from a backup doesn't make sense while
updating a package, because the package is definetely not in the backup yet.
So --no-check-certificate is now enabled only for backup servers
and backup servers are disabled while updating packages.
See https://github.com/mxe/mxe/pull/1694#issuecomment-285324739
Diffstat (limited to 'Makefile')
-rw-r--r-- | Makefile | 10 |
1 files changed, 5 insertions, 5 deletions
@@ -35,8 +35,7 @@ PATCH := $(shell gpatch --help >/dev/null 2>&1 && echo g)patch SED := $(shell gsed --help >/dev/null 2>&1 && echo g)sed SORT := $(shell gsort --help >/dev/null 2>&1 && echo g)sort DEFAULT_UA := $(shell wget --version | $(SED) -n 's,GNU \(Wget\) \([0-9.]*\).*,\1/\2,p') -WGET = wget --no-check-certificate \ - --user-agent='$(or $($(1)_UA),$(DEFAULT_UA))' +WGET = wget --user-agent='$(or $($(1)_UA),$(DEFAULT_UA))' REQUIREMENTS := autoconf automake autopoint bash bison bzip2 flex \ $(BUILD_CC) $(BUILD_CXX) gperf intltoolize $(LIBTOOL) \ @@ -248,9 +247,9 @@ ESCAPE_PKG = \ BACKUP_DOWNLOAD = \ (echo "MXE Warning! Downloading $(1) from backup." >&2 && \ - ($(WGET) -O '$(PKG_DIR)/.tmp-$($(1)_FILE)' $(PKG_MIRROR)/`$(call ESCAPE_PKG,$(1))` || \ - $(WGET) -O '$(PKG_DIR)/.tmp-$($(1)_FILE)' $(PKG_CDN)/`$(call ESCAPE_PKG,$(1))` || \ - $(WGET) -O '$(PKG_DIR)/.tmp-$($(1)_FILE)' $(GITLAB_BACKUP)/`$(call ESCAPE_PKG,$(1))`_$($(1)_CHECKSUM))) + ($(WGET) --no-check-certificate -O '$(PKG_DIR)/.tmp-$($(1)_FILE)' $(PKG_MIRROR)/`$(call ESCAPE_PKG,$(1))` || \ + $(WGET) --no-check-certificate -O '$(PKG_DIR)/.tmp-$($(1)_FILE)' $(PKG_CDN)/`$(call ESCAPE_PKG,$(1))` || \ + $(WGET) --no-check-certificate -O '$(PKG_DIR)/.tmp-$($(1)_FILE)' $(GITLAB_BACKUP)/`$(call ESCAPE_PKG,$(1))`_$($(1)_CHECKSUM))) DOWNLOAD_PKG_ARCHIVE = \ $(if $($(1)_SOURCE_TREE),\ @@ -748,6 +747,7 @@ update-package-%: $(and $($*_UPDATE),$(call UPDATE,$*,$(shell $($*_UPDATE)))), \ $(error Package $* not found)) +update-checksum-%: MXE_NO_BACKUP_DL = true update-checksum-%: $(if $(call set_is_member,$*,$(PKGS)), \ $(call DOWNLOAD_PKG_ARCHIVE,$*) && \ |