replace busybox wget with SSL-enabled wget

[dismantl]

building now to see how much this affects image size.

[dismantl]

This should enable opkg to fetch packages from a HTTPS package repository.

[westbywest]

Definitely watch out that including wget-ssl doesn't invisibly pull in libopenssl too, i.e. since you're using libcyassl to trim down firmware image size. Also, you should be able to use curl instead of wget in almost any instance. curl more gracefully handles SSL operations, especially if you are skipping certificate checks.

[dismantl]

yeah I'm worried about pulling in libopenssl too. So I'll see the image size difference when it's finished building. The reason for using wget is that apparently opkg uses it to fetch packages.

[dismantl]

It looks like libopenssl is already selected in our current config.

[dismantl]

Selected by: PACKAGE_luci-lib-nixio [=y] && PACKAGE_luci-lib-nixio_cyassl [=y] || PACKAGE_luci-lib-nixio_cyassl [=y] && <choice> || PACKAGE_uhttpd-mod-tls [=y] && PACKAGE_uhttpd [=y] && PACKAGE_uhttpd-mod-tls_cyassl [=y]

[jheretic]

I don't know how libopenssl got re-introduced, as we went to a lot of trouble to remove it. It doesn't look like it's actually a dependency of anything.

Barrier breaker has package signing. That might be a route for verifying packages that doesn't rely on pulling in libopenssl.

[dismantl]

It's a dependency for luci-lib-nixio and uhttpd-mod-tls, despite our choice of cyaSSL.

[jheretic]

Those packages have an option for selecting which SSL provider you want. They only select libopenssl if you both select the package && select the openssl option. I'm not sure why the dependencies read out the way they do, but I was able to deselect it even with nixo and mod-tls still selected, and I shouldn't be able to do that if it was a hard dependency.

[dismantl]

you're right. and if we pull in the full wget package, that will make libopenssl a hard dependency. From the wget source, it appears to only support gnutls or openssl. Perhaps there is no way for us to make opkg work on HTTPS repositories without pulling in libopenssl?

[jheretic]

I was hoping that opkg had a configuration option to specify a download utility other than wget, but I don't see any evidence of that so far. Also, I'm not sure it's common practice for distros to only provide their package repositories via SSL, given that most of them do some kind of package verification.

I would suggest that rather than pulling in wget-ssl, since we'll still have to provide the repositories unencrypted for past releases, is that we move forward with getting package signing set up for our transition to barrier breaker, and provide (but not redirect to) an HTTPS version of downloads.commotionwireless.net for people to download the router images from (and make sure that the links on our downloads page point at the HTTPS versions).

[dismantl]

That makes sense to me. I'll close this PR then.

[jheretic]

Hmmm. Well, here's a thing. It looks like the opkg signing support depends on libopenssl. So we might be stuck with libopenssl either way.