mbed-cli: mbed add breaks certain URLs

@bmcdonnell-ionx thanks for trying this out. I’ve just added a small fix to address the port number issue. Please let me know if that works for your use-case.

Regarding insecure, in majority of the use cases, the end-user doesn’t know about every single repository URL that will be accessed/cloned during mbed import/add. And unlike the git clone <url> command, where end-user is de-facto aware what’s being cloned (essentially it’s a “consensual clone” as they can see the URL before executing git), mbed CLI clones many repositories recursively without prior consent/user awareness, except for the starting repository, or the program URL.

This poses some challenges, including legally, as an end-user could always blame on mbed CLI about causing their git or hg to try to access a funky URL/service port.

For example, combining the recursive nature of mbed CLI with bad intentions, could lead to terrifying results. It’s not hard to imagine a malicious program containing 100s .lib files pointing at different ports at b1-rtr0-hsrp.jpl.nasa.gov (as repo URLs), which, once mbed CLI start cracking on it, would look a lot like port scanning. And making multiple connection attempts on a government monitored network, like NASA’s, can get you in real trouble.

Furthermore, in many corporate networks, any connection attempt on arbitrary ports (usually below port 1024), is being flagged, logged and reported - even if it was for all the good reasons.

With everything said above “–insecure” provides this user consent, effectively acting as a legally binding agreement that the end-user know what they’re doing.

Hope that makes sense. Please let me know if you’d like me to clarify further.

@bmcdonnell-ionx The release is now live. Mbed CLI 1.6.0. Thanks for your help and patience on this major change to Mbed CLI to support arbitrary URLs.

I opened #642.