Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https://
across tools/ and package/. PKG_HASH alone does not protect against an
attacker tampering with insecure downloads when a maintainer regenerates
the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the
captured hash reflects real upstream content.
In-place http -> https (HTTPS reachability verified per host):
- tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools,
tools/libressl, tools/xz
- package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink
Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host
is dead or has a broken certificate:
- package/libs/popt (ftp.rpm.org cert mismatch)
- package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org)
- package/boot/imx-bootlets (trabant.uid0.hu cert mismatch)
- package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root)
Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is
already listed):
- package/boot/uboot-tools, tools/mkimage
Signed-off-by: Paul Spooren <mail@aparcar.org>
Both mirrors provided in the Makefile only serve gzipped tarballs.
Fixes: #10871
Fixes: 9edfe7dd13d9 ("source: Switch to xz for packages and tools where possible")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Update to 4.1
Remove 0001-mkfs-Default-to-64-32-heads-sectors-for-targets-smal.patch
as it's included in upstream repo.
Refresh patch
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
- use default host install and clean.
- backport compatibility patch for OS X and LEDE (avoids having to force iconv
for OS X).
- use default HOST_BUILD_DIR.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
- avoid using tools/include/endian.h on OS X to fix compilation.
- remove unneeded Host/Compile definition.
- refresh patches.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
