kicad-developers team mailing list archive

[Chris Pavlina <pavlina.chris@xxxxxxxxx>]

With all due respect.... this is /dumb/. You want our software to go downloading things without verifying their origin? Do you /really/ trust the quality of our code to the point where you're going to risk it being a vector for things like arbitrary executions on our watch? It's not 1995 anymore. /Everything/ on the internet should be done with verified security. There are so, SO many ways to exploit insecure connections.

I don't know about you, but I've /seen/ kicad's code, and I do not trust it to handle things downloaded from arbitrary, unverified locations without having at least a look over what's been downloaded.

> For Github, https links are used just because http links do not exist.
> This is the only one reason.
> 

There is a REASON for this.

On Fri, Dec 04, 2015 at 01:13:39PM +0100, jp charras wrote:
> Le 04/12/2015 12:43, Brian Sidebotham a écrit :
> > Please don't simply disable SSL verification - this is really only
> > useful for self-signed certs.
> > 
> > Instead, use something along the lines of
> > 
> >     curl_easy_setopt( curl, CURLOPT_CAINFO, "ca-bundle.crt");
> > 
> > This is a Windows-specific problem, so I would ifdef that setting and
> > package the ca-bundle.crt in the windows installer.
> > 
> > You can get up-to-date certificate bundles from:
> > http://curl.haxx.se/docs/caextract.html
> > 
> > Best Regards,
> > 
> > Brian.
> 
> I understand what you mean, but I am pretty sure avhttp did not test
> certificates.
> Using a certificate just to download lib files is perhaps a bit overkill
> (after all, most of pdf docs of our components are downloaded from http
> connections, not certified)
> 
> I am thinking the certificate ca-bundle.crt is OK (cURL works fine since
> I updated it), but it is just not found by Kicad (It could be fixed).
> 
> I am worried by the fact most of Kicad users know nothing about
> certificates, and using them is open a door to a lot of bug reports (the
> fp lib table issues could be zilch compared to that).
> 
> But what is the *actual* interest in using a certificate just to
> download libraries or 3D models? (At least as default option: it could
> be used on request, as an option)
> (Remember libraries are not necessary stored on Github.)
> 
> For Github, https links are used just because http links do not exist.
> This is the only one reason.
> 
> -- 
> Jean-Pierre CHARRAS
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~kicad-developers
> Post to     : kicad-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~kicad-developers
> More help   : https://help.launchpad.net/ListHelp