Security concern

[Ethan Blanton]

Aaron Hadley spake unto us the following wisdom:
> I use pidgin every day and I love it. Thank you for making a great
> product!
> 
> I'm concerned about the number of reports about malware and viruses
> coming from projects hosted on sourceforge. Has the Pidgin team
> considered changing hosting for the software? I'd also love to see a
> sha-1 of the pidgin installers right next to the download link if
> possible. Thank you for listening to my concerns.

We are also somewhat concerned by this, although it appears that it
affects only abandoned projects (and has not affected us,
specifically).

All of our source and binary releases are cryptographically signed.
PGP signatures from a Pidgin developer are provided for every download
(both tarballs and Windows executables; these are the .asc files), and
the Windows executables are signed using Windows binary-signing
techniques by a Pidgin developer.

SHA-1 signatures, in addition to being vulnerable to forging due to
flaws in the SHA-1 protocol for uses such as this, do not provide any
protection in addition to the existing signatures, and also do not
show provenance.  Separating the signature from the download (by
hosting the signature on pidgin.im) would have some utility, of
course.

I appreciate your concern for this issue, and I suggest that you
verify the signatures on your Pidgin downloads.  If you have any
questions about signature validity, please feel free to contact us.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/82e69237/attachment.sig>