Re: [Buildroot] [PATCH 1/1] package/pkg-download: add per package download fallback disable

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Arnout Vandecappelle <arnout@mind.be>
Cc: "Flávio Tapajós" <flavio.tapajos@newtesc.com.br>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/pkg-download: add per package download fallback disable
Date: Wed, 1 May 2024 21:46:27 +0200	[thread overview]
Message-ID: <ZjKcE_htYN1j5io2@landeda> (raw)
In-Reply-To: <0e92066e-ce6f-4d69-9f43-979c62a4d40c@mind.be>

Arnout, All,

On 2024-05-01 21:09 +0200, Arnout Vandecappelle via buildroot spake thusly:
> On 30/04/2024 19:56, Flávio Tapajós wrote:
> > Sorry to necrobump, but such a feature would be handy when using
> > FOO_DL_OPTS to ensure http authentication.
> > 
> > Tokens, usernames or passwords will be leaked to the fallback server in
> > case of failure of the primary source. This could be some source of
> > vulnerability
> 
>  I don't see how any of these would be leaked...
> 
>  A token is passed either as a password or as a header. There's no way to
> specify per-package wget options anyway,

It *is* possible to pass per-package download options:

    FOO_DL_OPTS = --header 'Auth-Token: my-secret'

And those options are passed to all the downloads tentatives. This of
course only works properly when the main download is done with wget,
though, as options for git-as-main are not valid for wget-as-primary or
wget-as-backup.

Note that we used to have such a package in Buildroot, amd-catalyst, but
it was removed a while ago. Still, we're testing that in outr download
runtime tests, for sftp and scp, so we know it works...

Regards,
Yann E. MORIN.

> so I guess it will be passed as a
> password.
> 
>  A password can either be passed in .netrc or .wgetrc (in which case it is
> site-specific so won't be sent to PRIMARY_SITE or BACKUP_SITE), or it can be
> passed in the URL, as https://user:pass@server.com/path/source.tar.gz
> The whole user:pass part also doesn't get used in PRIMARY_SITE or BACKUP_SITE.
> 
>  The above applies to http downloads. For other downloads, it doesn't even
> matter at all, because that download method won't be used for PRIMARY_SITE
> and SECONDARY_SITE so any authentication stuff won't be used either.
> 
>  So how does leaking take place?
> 
>  Regards,
>  Arnout
> 
> > 
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot