Re: Wget bootstrapping problem

[Jeffrey Walton]

On Wed, May 6, 2020 at 4:22 AM Tim Rühsen <address@hidden> wrote:
>
> On 05.05.20 03:14, Bruno Haible wrote:
> > Paul Eggert wrote:
> >>> We could switch the order such that Wget is the default and rsync is used 
> >>> as a
> >>> fallback
> >>
> >> That sounds better than reverting, no? Perhaps you could propose a patch.
> >
> > No. From the point of security, "wget as default and rsync as fallback" is
> > just as bad as "rsync always". Why? [1] Look at the SSLv3 / TLSv1.0 history.
> > People believed that "SSLv3 is insecure, but since it's only used as a
> > fallback, it doesn't matter". Until someone discovered a way to trick the
> > fallback to be activated always [2]...
> >
> > rsync is not secure. We should not enable it again.
> >
> > Regarding the bootstrapping problem, why not build wget in two steps:
> >   1. Bootstrap with no PO files. This produces a non-internationalized wget
> >      binary.
> >   2. Bootstrap again, using the wget binary from step 1 to fetch the PO 
> > files.
> >
> > The 'bootstrap' script has an option '--skip-po'. The gnulib-tool script
> > should behave the same way if you don't pass the --po-base=... option to it.
> >
> > If necessary, we can add another option to gnulib-tool to avoid fetching PO
> > files and/or to avoid the use of wget.
>
> I fully agree with Bruno.
>
> We could also check for an existing wget in bootstrap.conf and set
> SKIP_PO=1 if not found. While it 'just works' it also disguises the real
> problem and the user might get something unexpected
> (non-internationalized wget).

How about a --disable-translation configure option similar to
--disable-docs. That should get you over the bootsrap hurdle. But it
assumes you have a adequate Unistring and OpenSSL.

(From experience with some older systems and ransomware systems, I've
found the minimum components needed to build Wget are Unistring and
OpenSSL: https://github.com/noloader/Build-Scripts/tree/master/bootstrap).

Jeff