[cmake-developers] Unexpected bad status for file DOWNLOAD for http://*.xz URLs

Eric Noulard eric.noulard at gmail.com
Fri Jul 12 17:33:15 EDT 2013


2013/7/12 Alan W. Irwin <irwin at beluga.phys.uvic.ca>:
> On 2013-07-12 20:27-0000 David Cole wrote:
>
>> It’s a bad bad really bad idea to make the build of OpenSSL “in-house” as
>> you’ve been calling it... CMake SHOULD use the system openssl for
>> distributions that have one already.
>>
>>
>> If there are problems with that approach, then the problems should be
>> addressed, but bringing a security component into “we have our own custom
>> build of that which you must use”-land is NEVER a good idea.
>>
>>
>> Just my opinion. Feel free to flame me if I’m wrong.

+1,
I won't mess-up security team work.

>
>
> Hmmm. Now that you have brought up the security aspect, I agree that
> an in-house build is probably a bad idea.  But only one "bad".  "bad
> bad really bad" is probably over the top.  And that is your monster
> flame for the day.  :-)
>
> Seriously, though, what do you do in the Windows case where
> there is no "trusted" distribution to build the openssl library for you?  I
> presume you download some Windows binary from a location you trust, but
> what location is that?

Then ask your windows provider to provide one.
How on earth could a "real" operating system be provided without a
proper SSL library implementation and header?

So, every web browser on Windows is providing his own SSL lib?

Now the real flame may begin :-]


--
Erk
L'élection n'est pas la démocratie -- http://www.le-message.org



More information about the cmake-developers mailing list