Hello, it looks like building LibreOffice without Git might download submodules over unencrypted HTTP without checking authenticity or integrity. The relevant code is here: https://github.com/LibreOffice/core/blob/648c70ac2caf2646ee8ff49bd8d846016d289b38/Makefile.in#L263 It would probably be good to at least replace the `http://` of the URL with `https://`, but if possible it might also be good to introduce authenticity / integrity validation since the files are downloaded from mirrors (if I see that correctly). Even though I assume you only chose trustworthy mirror sites, each mirror site increases the attack surface nonetheless so an authenticity check would be useful. I am not planning to submit a pull request since I am not familiar with the build setup of LibreOffice. Hopefully that is fine for you. Kind regards
Non-Git build might download submodules over unencrypted HTTP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Non-Git build might download submodules over unencrypted HTTP
- From: some-java-user-99206970363698485155@xxxxxxxxxxxxxxx
- Date: Mon, 24 Oct 2022 00:35:54 +0200
- Follow-Ups:
- Re: Non-Git build might download submodules over unencrypted HTTP
- From: Caolán McNamara
- Re: Non-Git build might download submodules over unencrypted HTTP
- Prev by Date: Re: Comparion of LogicalFontInstance::ImplGetGlyphBoundRect() between platforms
- Next by Date: Re: Option "Convert SmartArt to LO shapes or reverse"
- Previous by thread: Option "Convert SmartArt to LO shapes or reverse"
- Next by thread: Re: Non-Git build might download submodules over unencrypted HTTP
- Index(es):
 |