load zlib-1.3.1.tar.xz from mirrors

[howie-f]

No description provided.

[kodiai]

Kodiai Review Summary

What Changed

This PR updates the zlib dependency download URL from the official zlib.net website to Kodi's mirror infrastructure (mirrors.kodi.tv), maintaining the same version (1.3.1).

Reviewed: docs

Strengths

• ✅ Maintains the same zlib version (1.3.1), ensuring no unintended version changes
• ✅ Aligns with existing dependency mirror patterns used for xz-utils, bz2, and other dependencies in this repository

Observations

Impact

[MEDIUM] depends/common/zlib/zlib.txt (1): Protocol downgrade from HTTPS to HTTP
The change switches from https://www.zlib.net to http://mirrors.kodi.tv, downgrading the connection security. While consistent with other dependencies in this repository (xz-utils, bz2), HTTP connections are vulnerable to man-in-the-middle attacks during download. Consider whether checksum verification is performed post-download to mitigate this risk.

Suggestions

• Future consideration: Evaluate moving all dependency mirrors to HTTPS to eliminate protocol downgrade risks across the dependency chain

Verdict

🟡 Ready to merge with minor items -- Optional cleanup suggestions below (no blockers)

Review Details

• Files reviewed: 1
• Lines changed: +1 -1
• Profile: strict (auto, lines changed: 2)
• Author: regular (default)
• Findings: 0 critical, 0 major, 1 medium, 0 minor (includes 1 from summary observations)
• Review completed: 2026-02-22T08:53:10.919Z
• Keyword parsing: No keywords detected