mirror of
https://git.openwrt.org/openwrt/openwrt.git
synced 2026-04-22 03:32:01 +02:00
7a991c8d88
Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https:// across tools/ and package/. PKG_HASH alone does not protect against an attacker tampering with insecure downloads when a maintainer regenerates the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the captured hash reflects real upstream content. In-place http -> https (HTTPS reachability verified per host): - tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools, tools/libressl, tools/xz - package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host is dead or has a broken certificate: - package/libs/popt (ftp.rpm.org cert mismatch) - package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org) - package/boot/imx-bootlets (trabant.uid0.hu cert mismatch) - package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root) Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is already listed): - package/boot/uboot-tools, tools/mkimage Signed-off-by: Paul Spooren <mail@aparcar.org>