treewide: use HTTPS for PKG_SOURCE_URL where possible

aparcar · aparcar · commit 7a991c8d88b8 · 2026-04-20T11:58:37.000+08:00
Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https:// across tools/ and package/. PKG_HASH alone does not protect against an attacker tampering with insecure downloads when a maintainer regenerates the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the captured hash reflects real upstream content. In-place http -> https (HTTPS reachability verified per host): - tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools, tools/libressl, tools/xz - package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink Replaced with @openwrt (HTTPS-only mirror) where the upstream HTTPS host is dead or has a broken certificate: - package/libs/popt (ftp.rpm.org cert mismatch) - package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org) - package/boot/imx-bootlets (trabant.uid0.hu cert mismatch) - package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root) Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is already listed): - package/boot/uboot-tools, tools/mkimage Signed-off-by: Paul Spooren <mail@aparcar.org>
diff --git a/package/boot/imx-bootlets/Makefile b/package/boot/imx-bootlets/Makefile
@@ -10,7 +10,7 @@ PKG_NAME:=imx-bootlets
 PKG_VERSION:=10.12.01
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://trabant.uid0.hu/openwrt/
+PKG_SOURCE_URL:=@OPENWRT
 PKG_HASH:=f7c98cbc41e15184cad61c56115e840e34ac3ebb4a162fadeea905e5038fd65b
 
 PKG_FLAGS:=nonshared
diff --git a/package/boot/kobs-ng/Makefile b/package/boot/kobs-ng/Makefile
@@ -12,7 +12,7 @@ PKG_VERSION:=5.4
 PKG_RELEASE:=1
 
 PKG_SOURCE:=imx-kobs-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.freescale.com/lgfiles/NMG/MAD/YOCTO/
+PKG_SOURCE_URL:=@OPENWRT
 PKG_HASH:=85171b46068ac47c42fedb8104167bf9afd33dd9527ed127e1ca2eb29d7a86bf
 PKG_BUILD_DIR:=$(BUILD_DIR)/imx-kobs-$(PKG_VERSION)
 
diff --git a/package/boot/uboot-tools/Makefile b/package/boot/uboot-tools/Makefile
@@ -7,8 +7,7 @@ PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_DISTNAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	https://ftp.denx.de/pub/u-boot \
-	https://mirror.cyberbits.eu/u-boot \
-	ftp://ftp.denx.de/pub/u-boot
+	https://mirror.cyberbits.eu/u-boot
 PKG_URL:=https://docs.u-boot.org/en/latest/
 PKG_HASH:=ac7c04b8b7004923b00a4e5d6699c5df4d21233bac9fda690d8cfbc209fff2fd
 PKG_SOURCE_SUBDIR:=$(PKG_DISTNAME)-$(PKG_VERSION)
diff --git a/package/firmware/ixp4xx-microcode/Makefile b/package/firmware/ixp4xx-microcode/Makefile
@@ -9,7 +9,7 @@ PKG_VERSION:=2.4
 PKG_RELEASE:=1
 
 PKG_SOURCE:=IPL_ixp400NpeLibraryWithCrypto-2_4.zip
-PKG_SOURCE_URL:=http://downloads.openwrt.org/sources
+PKG_SOURCE_URL:=@OPENWRT
 PKG_HASH:=1b1170d0657847248589d946048c0aeaa9cd671966fc5bec5933283309485eaa
 
 PKG_FLAGS:=nonshared
diff --git a/package/libs/libmnl/Makefile b/package/libs/libmnl/Makefile
@@ -13,8 +13,8 @@ PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
-	http://www.netfilter.org/projects/libmnl/files \
-	ftp://ftp.netfilter.org/pub/libmnl
+	https://www.netfilter.org/projects/libmnl/files \
+	https://ftp.netfilter.org/pub/libmnl
 PKG_HASH:=274b9b919ef3152bfb3da3a13c950dd60d6e2bcd54230ffeca298d03b40d0525
 
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
diff --git a/package/libs/libnfnetlink/Makefile b/package/libs/libnfnetlink/Makefile
@@ -13,8 +13,8 @@ PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
-	http://www.netfilter.org/projects/libnfnetlink/files/ \
-	ftp://ftp.netfilter.org/pub/libnfnetlink/
+	https://www.netfilter.org/projects/libnfnetlink/files/ \
+	https://ftp.netfilter.org/pub/libnfnetlink/
 PKG_HASH:=b064c7c3d426efb4786e60a8e6859b82ee2f2c5e49ffeea640cfe4fe33cbc376
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=GPL-2.0+
diff --git a/package/libs/mpfr/Makefile b/package/libs/mpfr/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=mpfr
 PKG_VERSION:=4.2.2
 PKG_RELEASE:=1
 
-PKG_SOURCE_URL:=@GNU/mpfr http://www.mpfr.org/mpfr-$(PKG_VERSION)
+PKG_SOURCE_URL:=@GNU/mpfr https://www.mpfr.org/mpfr-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_HASH:=b67ba0383ef7e8a8563734e2e889ef5ec3c3b898a01d00fa0a6869ad81c6ce01
 
diff --git a/package/libs/popt/Makefile b/package/libs/popt/Makefile
@@ -12,7 +12,7 @@ PKG_VERSION:=1.19
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://ftp.rpm.org/popt/releases/popt-1.x/
+PKG_SOURCE_URL:=@OPENWRT
 PKG_HASH:=c25a4838fc8e4c1c8aacb8bd620edb3084a3d63bf8987fdad3ca2758c63240f9
 PKG_LICENSE:=MIT
 PKG_CPE_ID:=cpe:/a:popt_project:popt
diff --git a/tools/dosfstools/Makefile b/tools/dosfstools/Makefile
@@ -13,7 +13,7 @@ PKG_VERSION:=4.2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/dosfstools/dosfstools/releases/download/v$(PKG_VERSION)/ \
-		http://fossies.org/linux/misc
+		https://fossies.org/linux/misc
 PKG_HASH:=64926eebf90092dca21b14259a5301b7b98e7b1943e8a201c7d726084809b527
 
 HOST_FIXUP:=autoreconf
diff --git a/tools/elftosb/Makefile b/tools/elftosb/Makefile
@@ -10,7 +10,7 @@ PKG_NAME:=elftosb
 PKG_VERSION:=10.12.01
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://repository.timesys.com/buildsources/e/elftosb/elftosb-10.12.01/
+PKG_SOURCE_URL:=https://repository.timesys.com/buildsources/e/elftosb/elftosb-10.12.01/
 PKG_HASH:=77bb6981620f7575b87d136d94c7daa88dd09195959cc75fc18b138369ecd42b
 
 include $(INCLUDE_DIR)/host-build.mk
diff --git a/tools/liblzo/Makefile b/tools/liblzo/Makefile
@@ -12,7 +12,7 @@ PKG_VERSION:=2.10
 PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/
+PKG_SOURCE_URL:=https://www.oberhumer.com/opensource/lzo/download/
 PKG_HASH:=c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b4221a072
 
 PKG_LICENSE:=GPL-2.0-or-later
diff --git a/tools/libressl/Makefile b/tools/libressl/Makefile
@@ -15,7 +15,7 @@ PKG_CPE_ID:=cpe:/a:openbsd:libressl
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://mirror.ox.ac.uk/pub/OpenBSD/LibreSSL \
-	http://ftp.jaist.ac.jp/pub/OpenBSD/LibreSSL \
+	https://ftp.jaist.ac.jp/pub/OpenBSD/LibreSSL \
 	https://ftp.openbsd.org/pub/OpenBSD/LibreSSL
 
 HOST_BUILD_PARALLEL:=1
diff --git a/tools/lzop/Makefile b/tools/lzop/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=lzop
 PKG_VERSION:=1.04
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.lzop.org/download/
+PKG_SOURCE_URL:=https://www.lzop.org/download/
 PKG_HASH:=7e72b62a8a60aff5200a047eea0773a8fb205caf7acbe1774d95147f305a2f41
 
 PKG_LICENSE:=GPL-2.0-or-later
diff --git a/tools/mkimage/Makefile b/tools/mkimage/Makefile
@@ -12,8 +12,7 @@ PKG_VERSION:=2026.04
 PKG_SOURCE:=u-boot-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	https://mirror.cyberbits.eu/u-boot \
-	https://ftp.denx.de/pub/u-boot \
-	ftp://ftp.denx.de/pub/u-boot
+	https://ftp.denx.de/pub/u-boot
 PKG_HASH:=ac7c04b8b7004923b00a4e5d6699c5df4d21233bac9fda690d8cfbc209fff2fd
 
 HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/u-boot-$(PKG_VERSION)
diff --git a/tools/mpfr/Makefile b/tools/mpfr/Makefile
@@ -10,7 +10,7 @@ PKG_NAME:=mpfr
 PKG_VERSION:=4.2.2
 PKG_CPE_ID:=cpe:/a:mpfr:gnu_mpfr
 
-PKG_SOURCE_URL:=@GNU/mpfr http://www.mpfr.org/mpfr-$(PKG_VERSION)
+PKG_SOURCE_URL:=@GNU/mpfr https://www.mpfr.org/mpfr-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_HASH:=826cbb24610bd193f36fde172233fb8c009f3f5c2ad99f644d0dea2e16a20e42
 
diff --git a/tools/xz/Makefile b/tools/xz/Makefile
@@ -12,7 +12,7 @@ PKG_VERSION:=5.8.3
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://github.com/tukaani-project/xz/releases/download/v$(PKG_VERSION) \
 		@SF/lzmautils \
-		http://tukaani.org/xz
+		https://tukaani.org/xz
 PKG_HASH:=33bf69c0d6c698e83a68f77e6c1f465778e418ca0b3d59860d3ab446f4ac99a6
 PKG_CPE_ID:=cpe:/a:tukaani:xz
 
