Add a fallback to wget if curl is not available #1913
Conversation
tgross35
force-pushed
the
add-wget
branch
3 times, most recently
from
159400d
to
6be3097
Compare
www/install.sh
Outdated
| if command -v curl > /dev/null; then | ||
| curl --proto =https --tlsv1.2 -sSfL "$url" "-o$output" | ||
| else | ||
| # Some wget implementations support these flags, but busybox |
There was a problem hiding this comment.
How about trying wget with all options and then falling back to using none of the options if that fails? We might try the download twice, if there's some other error, like the network not being up, but that might be better than checking each flag individually?
There was a problem hiding this comment.
That sounds reasonable, I updated to do this and tested with both ubuntu and alpine. I had to suppress stderr from the first run so it doesn't print the help message on Alpine, but that should be fine.
There was a problem hiding this comment.
Actually... maybe we don't want to just try twice? With the change, if HTTPS fails or TLS is outdated then it will just rerun without the flags :)
I don't think the flags actually add much since the URL is https, your call for what to do
tgross35
force-pushed
the
add-wget
branch
4 times, most recently
from
76d7388
to
8d8c32e
Compare
This allows using the install script on Alpine containers and other busybox-based systems with no additional dependencies. The script attempts to use `--https-only --secure-protocol=TLSv1_3 --no-verbose` if available, otherwise falls back to a portable wget call. Additionally, error on invalid arguments.
|
Is it just old versions of wget which don't support those flags? I think perhaps we should always use those flags, since I'm a little bit wary of not using them just because they aren't supported. |
There was a problem hiding this comment.
I removed the fallback to insecure wget. This fallback would have triggered if there was a cert error, so a MITM could potentially have intentionally downgraded the connection to insecure wget.
If it's necessary to support boxes that don't have a secure curl or wget, we should add a --insecure flag download with forcing TLS.
This allows using the install script on Alpine containers and other busybox-based systems with no additional dependencies.
The script attempts to use
--https-only --secure-protocol=TLSv1_3 --no-verboseif available, otherwise falls back to a portable wget call.Additionally, error on invalid arguments (currently syntax errors silently continue).
This is based on top of #1912, which should be merged first. The main change for this PR is in the second commit.
Tested on ubuntu (wget is GNU and sh is Dash, no pipefail) and alpine (wget and sh are both alpine, yes pipefail)