Non-Git build might download submodules over unencrypted HTTP

some-java-user-99206970363698485155 at some-java-user-99206970363698485155 at
Sun Oct 23 22:35:54 UTC 2022

it looks like building LibreOffice without Git might download submodules over unencrypted HTTP without checking authenticity or integrity. The relevant code is here:

It would probably be good to at least replace the `http://` of the URL with `https://`, but if possible it might also be good to introduce authenticity / integrity validation since the files are downloaded from mirrors (if I see that correctly). Even though I assume you only chose trustworthy mirror sites, each mirror site increases the attack surface nonetheless so an authenticity check would be useful.

I am not planning to submit a pull request since I am not familiar with the build setup of LibreOffice. Hopefully that is fine for you.

Kind regards

More information about the LibreOffice mailing list