Please do not disable peer cert verification during update check
rgov opened this issue · comments
https://github.com/analogdevicesinc/iio-oscilloscope/blob/master/phone_home.c#L58-L63
This disables certificate validation when checking for updates. Please don't do this. Disabling certificate validation allows a malicious network to modify the update information, and could potentially lead a user to install a malicious update.
This is not necessary because the updates are provided by GitHub which has a valid certificate. If the client is unable to verify GitHub's certificate, it is a misconfiguration of their system. The best behavior in this case is to fail, rather than silently continue.
Thank you for pointing this out!
closing now, since PR was merged
[edit] feel free to re-open issue if it's the case