[Pidgin] #15277: Windows installer relies on HTTP rather than HTTPS
Pidgin
trac at pidgin.im
Sun Aug 26 12:06:49 EDT 2012
#15277: Windows installer relies on HTTP rather than HTTPS
-------------------------+--------------------------------------------------
Reporter: ioerror | Owner: datallah
Type: enhancement | Status: new
Milestone: | Component: winpidgin (gtk)
Version: 2.10.6 | Resolution:
Keywords: security |
-------------------------+--------------------------------------------------
Comment(by datallah):
The pidgin.im URLs referenced here simply redirect to the SF.net download
URLs.
Instead of pinning certs (which I'm pretty sure the NSISdl infrastructure
wouldn't support, and wouldn't work anyway since we're actually
downloading from some SF.net mirror), I think we should make the installer
validate the hash of the files it downloads against the expected value
(with the expected hash value either baked into the installer, or
preferably, downloaded via HTTPS).
FYI there is also an "offline" installer that includes these resources in
the initial download.
--
Ticket URL: <http://developer.pidgin.im/ticket/15277#comment:5>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list