Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https://
across tools/ and package/. PKG_HASH alone does not protect against an
attacker tampering with insecure downloads when a maintainer regenerates
the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the
captured hash reflects real upstream content.
In-place http -> https (HTTPS reachability verified per host):
- tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools,
tools/libressl, tools/xz
- package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink
Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host
is dead or has a broken certificate:
- package/libs/popt (ftp.rpm.org cert mismatch)
- package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org)
- package/boot/imx-bootlets (trabant.uid0.hu cert mismatch)
- package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root)
Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is
already listed):
- package/boot/uboot-tools, tools/mkimage
Signed-off-by: Paul Spooren <mail@aparcar.org>
Changes from popt 1.16:
- fix an ugly and ancient security issue with popt failing to drop privileges on alias exec from a SUID/SGID program
- perform rudimentary sanity checks when reading in popt config files
- collect accumulated misc fixes (memleaks etc) from distros
- convert translations to utf-8 encoding
- convert old postscript documentation to pdf
- dust off ten years worth of autotools sediment
- reorganize and clean up the source tree for clarity
- remove the obnoxious splint annotations from the sources
Switch to new mirror:
http://ftp.rpm.org/popt/releases/
Switch URL to:
https://github.com/rpm-software-management/popt
Signed-off-by: Nick Hainke <vincent@systemli.org>
We can safely assume by now that rpm5.org is dead and isn't coming back
so just add another mirror instead.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.
I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.
However, I can not garantee that I always picked the correct information
and/or did not miss license information.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 43155
