Dear Sven, I wasn't aware of signature checking and hence I agree with yours and Jo-Philipp's sentiment that this would be a bad idea. Please disregard my suggestion. Thank you very much for teaching me about the signature verification system.
Yours sincerely, Jaap Buurman On Tue, Apr 17, 2018 at 10:27 AM, Sven Eckelmann <sven.eckelm...@openmesh.com> wrote: > On Dienstag, 17. April 2018 10:03:10 CEST Jaap Buurman wrote: >> Hello all, >> >> Today I discovered that pulling packages from the feeds is done over >> http by default instead of https. I understand it is always going to >> be a trade-off between space requirements and features/security. >> However, pulling in packages over an unencrypted connection will allow >> for easy manipulation of the package's contents via a MITM attack. For >> a router that is going to run these packages, that stands between all >> your devices and the big bad internet that is an unacceptable >> trade-off in my opinion. > [...] > > Are you aware of the Packages signature [1] and the sha256sums in the Packages > file? opkg is checking the signature [3] when the Packages file is downloaded. > The sha256sum is checked after the package was downloaded and before it was > installed [4] > > Kind regards, > Sven > > > [1] > https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages.sig > [2] > https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages > [3] > https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_cmd.c;h=c823df8b6006bffa2516443fab3718cd112ae3b3;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l170 > [4] > https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_install.c;h=e6f8a1b6276ede518a5c59b2f9347f1de8e5dd7a;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l1386 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
