Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/kmods/5.4.105-1-e6bc2400f376a9e1e6c0d7653674211c/kmod-usb-ledtrig-usbport_5.4.105-1_aarch64_cortex-a72.ipk
Installing luci-app-ledtrig-rssi (git-20.125.36159-be640ce) to root...
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/luci/luci-app-ledtrig-rssi_git-20.125.36159-be640ce_all.ipk
Installing rssileds (3) to root...
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/base/rssileds_3_aarch64_cortex-a72.ipk
Installing bcm27xx-userland (4a0a19b88b43e48c6b51b526b9378289fb712a4c-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/packages/bcm27xx-userland_4a0a19b88b43e48c6b51b526b9378289fb712a4c-1_aarch64_cortex-a72.ipk
Installing kmod-sched-ctinfo (5.4.105-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/kmods/5.4.105-1-e6bc2400f376a9e1e6c0d7653674211c/kmod-sched-ctinfo_5.4.105-1_aarch64_cortex-a72.ipk
Package ip-full (5.11.0-1) installed in root is up to date.
Package atftpd (0.7.4-1) installed in root is up to date.
check you are using master or your repositories.conf paths...
I download image builder from openwrt website
like this:
openwrt-imagebuilder-19.07.7-mvebu-cortexa9.Linux-x86_64.tar.xz
when I use that the repo urls are like this
## Place your custom repositories here, they must match the architecture and version.
# src/gz %n http://downloads.openwrt.org/releases/19.07.7
# src custom file:///usr/src/openwrt/bin/mvebu/packages
## Remote package repositories
src/gz openwrt_core http://downloads.openwrt.org/releases/19.07.7/targets/mvebu/cortexa9/packages
src/gz openwrt_base http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/base
src/gz openwrt_freifunk http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/freifunk
src/gz openwrt_luci http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/luci
src/gz openwrt_packages http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/packages
src/gz openwrt_routing http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/routing
src/gz openwrt_telephony http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/telephony
## This is the local package repository, do not remove!
src imagebuilder file:packages
which is http not https.
every time I download the image builder I have to change them manually.
Sorry, it seems I misunderstood you as my comment is mostly relevant for the build system.
When building from sources, the build process depends on many external projects which authors sometimes don't offer HTTPS, or configure the server incorrectly, or use outdated certificates, etc.
With dozens of different sources, the risk that something goes wrong rises exponentially, so it's just another point of failure without significant benefits to the purpose.
I agree that HTTPS can be a good additional layer of security when using the ImageBuilder.
If you are concerned about State-issue concerns, using 19.07 and the packages FOR 19.07 should be a concern. You would be better basing your images (multiple, guessing from the OP) on 21.02 or master/main branch of your own fork to freeze the devel.
thanks for noticing my point.
yes I meant that downloads.openwrt.org needs to be set as https.
I changed the title to reflect that.
but if I remember correctly from my git compile days on openwrt, the image compiler (not builder but the one that needs the whole development environment) also tries to download from openwrt website the sources that it uses. for example if it tries to compile tor it first tries to download it from somewhere on openwrt.org website. I just don't remember where.
no, not NSA level.
contrary to western belief iran network is more geared toward censorship not surveillance (to be honest I would have preferred the reverse).
but overall, anywhere you live should not matter. this is a trend(belief/gaol ?) of internet activist and recently some corporations' to make https the default one. like mozilla https-only mode and chrome warning about http downloads and so on.
which is a good trend.
if it wasn't for covid19 we would have moved more toward that mode, but special care needed to be made so that very old website that are for healthcare still work so they delayed a lot of changes for that.
btw what is the difference between the two point releases that makes a difference vis-a-vis state-wide issues?
just newer version of programs or some new great feature that I have not heard about?
I didnt get your point.
also I try to avoid git version, because I wasted a lot of time on that before moving to imagebuilder (that creates images from prebuild ipks). the time used by that process was not worth it, and I needed that only for some packages to change their options.
also how does openwrt verify the downloads?
doesnt it download a .sig file and check the files against that?
I dont completely understand this verify process but from what I understand it checks it against a file.
is that file inside the openwrt imagebuilder or is it downloaded.
if it is downloaded then cant it be manipulated when it is transmitted via http with no https?
The comment was more about anyone having the need to worry about security (for whatever reasons), including state-agent surveillance or censorship, would probably be interested in the code changes since July, 2019. The branch was set then, and while security patches were backported, the kernel is certainly out of date. The packages were also forked July 2019, and I couldn't attest to security updates being backported for 19.07 packages (might be wrong, might depend on the maintainer).
For anyone concerned about security, these will play into consideration (or should).
thank you for clearifying. I thought I missed some news or a feature that was announced for 21.02
about the point you made I am not sure that kernel security is that outdated for a remote device (but maybe there are cases that can be exploited remotely) I think programs running on the device are more important to be updated and they are to some extent on openwrt.
on the other hand if you use the newest kernel you actually open yourself to new exploit and bugs that may have slipped in.
these are just my opinions and not expert ones.
Why?
Isn't the signature verified against the keys included in the imagebuilder, and those keys are obtained from the OpenWrt keyring during the build process of the imagebuilder itself. Additionally, if somebody builds imagebuilder for himself, the local build key is included in that case, similarly as with any private build.
The keys in the official keyring are installed in the build process (of the imagebuilder). Keyring includes separate keys for master snapshots, 21.02, 19.07 etc.
It's goes to what I was saying about using older version rather than updated ones The verification you were looking for was added after 19.07, and therefor, isn't in it. It is in 21.02 though, it seems.
