* [PATCH] fetch2/wget: fetch securely by default
@ 2021-06-28 16:04 Ross Burton
2021-06-28 16:51 ` [bitbake-devel] " Quentin Schulz
0 siblings, 1 reply; 2+ messages in thread
From: Ross Burton @ 2021-06-28 16:04 UTC (permalink / raw)
To: bitbake-devel
The days of broken certificates are behind us now, so instead of always
passing --no-check-certificate to wget, don't pass it by default and
instead only pass it if the SRC_URI has insecure=1 set.
[ YOCTO #14108 ]
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
bitbake/lib/bb/fetch2/wget.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index 784df70c9f6..1088b8e9649 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -82,7 +82,10 @@ class Wget(FetchMethod):
if not ud.localfile:
ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
- self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
+ self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
+
+ if ud.parm.get('insecure', '0') == '1':
+ self.basecmd += " --no-check-certificate"
def _runwget(self, ud, d, command, quiet, workdir=None):
@@ -288,12 +291,14 @@ class Wget(FetchMethod):
if exported_proxies:
handlers.append(urllib.request.ProxyHandler())
handlers.append(CacheHTTPHandler())
+
# Since Python 2.7.9 ssl cert validation is enabled by default
# see PEP-0476, this causes verification errors on some https servers
# so disable by default.
import ssl
- if hasattr(ssl, '_create_unverified_context'):
+ if ud.parm.get('insecure', '0') == '1' and hasattr(ssl, '_create_unverified_context'):
handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))
+
opener = urllib.request.build_opener(*handlers)
try:
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [bitbake-devel] [PATCH] fetch2/wget: fetch securely by default
2021-06-28 16:04 [PATCH] fetch2/wget: fetch securely by default Ross Burton
@ 2021-06-28 16:51 ` Quentin Schulz
0 siblings, 0 replies; 2+ messages in thread
From: Quentin Schulz @ 2021-06-28 16:51 UTC (permalink / raw)
To: bitbake-devel, Ross Burton
Hi Ross,
On June 28, 2021 4:04:58 PM UTC, Ross Burton <ross@burtonini.com> wrote:
>The days of broken certificates are behind us now, so instead of always
>passing --no-check-certificate to wget, don't pass it by default and
>instead only pass it if the SRC_URI has insecure=1 set.
>
Please also send a patch to the documentation of the wget fetcher.
Cheers,
Quentin
>[ YOCTO #14108 ]
>
>Signed-off-by: Ross Burton <ross.burton@arm.com>
>---
> bitbake/lib/bb/fetch2/wget.py | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
>diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
>index 784df70c9f6..1088b8e9649 100644
>--- a/bitbake/lib/bb/fetch2/wget.py
>+++ b/bitbake/lib/bb/fetch2/wget.py
>@@ -82,7 +82,10 @@ class Wget(FetchMethod):
> if not ud.localfile:
> ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
>
>- self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
>+ self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
>+
>+ if ud.parm.get('insecure', '0') == '1':
>+ self.basecmd += " --no-check-certificate"
>
> def _runwget(self, ud, d, command, quiet, workdir=None):
>
>@@ -288,12 +291,14 @@ class Wget(FetchMethod):
> if exported_proxies:
> handlers.append(urllib.request.ProxyHandler())
> handlers.append(CacheHTTPHandler())
>+
> # Since Python 2.7.9 ssl cert validation is enabled by default
> # see PEP-0476, this causes verification errors on some https servers
> # so disable by default.
> import ssl
>- if hasattr(ssl, '_create_unverified_context'):
>+ if ud.parm.get('insecure', '0') == '1' and hasattr(ssl, '_create_unverified_context'):
> handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))
>+
> opener = urllib.request.build_opener(*handlers)
>
> try:
>--
>2.25.1
>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-28 16:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-28 16:04 [PATCH] fetch2/wget: fetch securely by default Ross Burton
2021-06-28 16:51 ` [bitbake-devel] " Quentin Schulz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).