[Toybox] [PATCH] wget: add TLS support
Rob Landley
rob at landley.net
Wed Oct 20 10:35:20 PDT 2021
On 10/20/21 11:51 AM, enh wrote:
> for the ignorant (like me) --- are these libraries like BearSSL an extra
> abstraction on top of stuff like openssl/boringssl, or are they roughly equivalent?
Roughly equivalent. Think openssh vs dropbear.
> (i'm just thinking ahead to what i'd have to do to get toybox wget working with
> boringssl because of FIPS.
... the federal procurement standard?
(What are they up to now, anyway? My computer history geek side has a basic
familiarity with FIPS 151-2, but I thought it got repealed?)
> which, yes, makes about as much sense as requiring
> current vehicles to demonstrate that their hand-cranks are appropriately
> protected against collisions with horses, but it is what it is, and that's a
> problem to be solved by politicians and lawyers, not us :-( )
wget is used in a lot of scripted resource fetching*, and these days it's
near-useless without https. I'm 100% in favor of making this work, but I also
want a minimal built-in version which is nontrivial. (Denys Vlasenko, the
busybox maintainer I handed off to many moons ago, wrote his own from scratch
over a period of a couple years. Alas he did it as multiple files and didn't do
it in a subdirectory so you can't easily pull up the commit log from the web
repo, but https://git.busybox.net/busybox/log/networking/tls.c gives you the
general idea. To be honest, making puppy eyes at him to use his work under 0BSD
and then cleaning it up to be a proper lib/tls.c that toybox and busybox could
share would be good. Busybox already has )
I know you won't use the built-in one, but that whole "no external dependencies
in the base" thing comes up.** And if I do a built-in readonly git fetcher, that
also needs https:// to pull repos...
Rob
* wget and curl are semi-interchangeable, but busybox only ever implemented
wget. Curl is more a library for programs to link against, with the command line
utility sort of an afterthought.
** Buncha reasons: defeating trusting trust, being a good self-contained
educational resources showing all the code needed to do the thing, reproducible
builds, avoiding archival versions being hit by version skew between packages or
website-went-away syndrome...
More information about the Toybox
mailing list