Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https://
across tools/ and package/. PKG_HASH alone does not protect against an
attacker tampering with insecure downloads when a maintainer regenerates
the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the
captured hash reflects real upstream content.
In-place http -> https (HTTPS reachability verified per host):
- tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools,
tools/libressl, tools/xz
- package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink
Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host
is dead or has a broken certificate:
- package/libs/popt (ftp.rpm.org cert mismatch)
- package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org)
- package/boot/imx-bootlets (trabant.uid0.hu cert mismatch)
- package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root)
Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is
already listed):
- package/boot/uboot-tools, tools/mkimage
Signed-off-by: Paul Spooren <mail@aparcar.org>
Patch CMakeLists.txt to fulfill cmake 4.0 requirements
of cmake_minimum_required being at least 3.5 and in future 3.10.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Refresh all tools patches now that tools/refresh correctly works.
CI now checks for them and actively complain if tools have unrefreshed
patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[ reword commit message ]
Link: https://github.com/openwrt/openwrt/pull/15524
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining tools which have a CPE ID.
Not every tool has CPE id.
Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
prerequisite of upcoming `tools/lzop` addition, and subsequent initramfs
and squashfs cleanups
same as `packages/lzo` modified to be a HOST/tools type build,
and should always be the same version and sources when either one is
bumped
because this (and `packages/lzo`) only provide liblzo and no
executables, use the clearer name `tools/liblzo`
Signed-off-by: Tony Butler <spudz76@gmail.com>
