Non-Git build might download submodules over unencrypted HTTP
some-java-user-99206970363698485155 at vodafonemail.de
some-java-user-99206970363698485155 at vodafonemail.de
Sun Oct 23 22:35:54 UTC 2022
Hello,
it looks like building LibreOffice without Git might download submodules over unencrypted HTTP without checking authenticity or integrity. The relevant code is here:
https://github.com/LibreOffice/core/blob/648c70ac2caf2646ee8ff49bd8d846016d289b38/Makefile.in#L263
It would probably be good to at least replace the `http://` of the URL with `https://`, but if possible it might also be good to introduce authenticity / integrity validation since the files are downloaded from mirrors (if I see that correctly). Even though I assume you only chose trustworthy mirror sites, each mirror site increases the attack surface nonetheless so an authenticity check would be useful.
I am not planning to submit a pull request since I am not familiar with the build setup of LibreOffice. Hopefully that is fine for you.
Kind regards
More information about the LibreOffice
mailing list