Security concern

Aaron Hadley spork21 at gmail.com
Thu Jun 25 11:31:47 EDT 2015


Thank you for the prompt and informative reply! I'll verify my download.

On Thu, Jun 25, 2015 at 8:24 AM, Ethan Blanton <elb at pidgin.im> wrote:

> Aaron Hadley spake unto us the following wisdom:
> > I use pidgin every day and I love it. Thank you for making a great
> > product!
> >
> > I'm concerned about the number of reports about malware and viruses
> > coming from projects hosted on sourceforge. Has the Pidgin team
> > considered changing hosting for the software? I'd also love to see a
> > sha-1 of the pidgin installers right next to the download link if
> > possible. Thank you for listening to my concerns.
>
> We are also somewhat concerned by this, although it appears that it
> affects only abandoned projects (and has not affected us,
> specifically).
>
> All of our source and binary releases are cryptographically signed.
> PGP signatures from a Pidgin developer are provided for every download
> (both tarballs and Windows executables; these are the .asc files), and
> the Windows executables are signed using Windows binary-signing
> techniques by a Pidgin developer.
>
> SHA-1 signatures, in addition to being vulnerable to forging due to
> flaws in the SHA-1 protocol for uses such as this, do not provide any
> protection in addition to the existing signatures, and also do not
> show provenance.  Separating the signature from the download (by
> hosting the signature on pidgin.im) would have some utility, of
> course.
>
> I appreciate your concern for this issue, and I suggest that you
> verify the signatures on your Pidgin downloads.  If you have any
> questions about signature validity, please feel free to contact us.
>
> Ethan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/586e7dd7/attachment.html>


More information about the security mailing list