Blacklisting "suspicious" builds

I don't want to start a new discussion on using builds from others, security, trust and credits. Also, I dont want to start a wich-hunt.
And I am fine if I get a warning and the thread is getting deleted. And I am not talking about the "official" section openwrt.org/downloads.

But in the last two days only, I stumbled across two postings about custom builds and I checked the downloads from dropbox and unknown websites. For me, as a regular-paranoid IT guy, it is totally unclear how someone can download and install binaries that are built by other people.
I do even (cross) compile grafana, kubectl or any other tools if there is a single chance to build them. (I would even compile Ubuntu if I could - haha) But please dont start a discussion on how secure the sources etc are, there are other threads for that.

My question is: Is it possible to mark threads as "suspicious" or "probably dangerous" or should I send a letter to one of the admins if I think there might be a suspicious sheep?
The goal of this question is simple:

  • Beware others from downloading and installing the binaries. I heavily assume that there are lots of people who dont care or who might not be as critical as someone should be from my point of view. I also know that my attitude might be a bit too paranoid.
  • From my point of view the act itself to make a binary available for download is suspicious and by nature a "trap". Moreover I could imagine that custom downloads / links to custom downloads are simply not allowed on the forum. Why does someone - who is able to build images - not provide the build script & procedures?

The threads from the last two days are listed below. Just look at the joined, last post and seen dates. My understanding is that "seen" was the last time the user was logged in.

Post Security Focused LEDE Build. 161 Routers supported so far
Security Focused LEDE Build. 161 Routers supported so far ( TP-Link, Arduino, Archer, Linksys, Netgear, Ubiquity and more )
User LEDEuser
Joined Jul 13, '17
Last Post Sep 14, '17
Seen Sep 22, '17

Minimum/Lite Firmware for TPLINK-MR1XU-MR3XXX-WA7XX-WA8XX-WA901ND
https://forum.openwrt.org/t/minimum-lite-firmware-for-tplink-mr1xu-mr3xxx-wa7xx-wa8xx-wa901nd-wa7x10n-wr7xxn-wr8xxn-wr9xxnd-wr1041n-netgear-wnr612-
wnr1000-wnr2000-wpn824n-4m-flash-only/11018/11
User AndyX
Joined Dec 25, '17
Last Post May 13
Seen May 13

1 Like

image

and describe your concerns and the information you used to arrive at your position

5 Likes

In general, this information should be notated in the ToH for the arbitrary device.

  • Each device's community should be maintaining the ToH for their device with what community builds are trusted, and if there are community builds that should not be trusted, this should also be notated.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.