[Pidgin] #15277: Windows installer relies on HTTP rather than HTTPS

Pidgin trac at pidgin.im
Thu Sep 20 13:20:31 EDT 2012


#15277: Windows installer relies on HTTP rather than HTTPS
-------------------------+------------------------------
 Reporter:  ioerror      |       Owner:  datallah
     Type:  enhancement  |      Status:  new
Milestone:               |   Component:  winpidgin (gtk)
  Version:  2.10.6       |  Resolution:
 Keywords:  security     |
-------------------------+------------------------------

Comment (by ioerror):

 Replying to [comment:8 Daniel Atallah <datallah@…>]:
 > (In [40eb50cbc39d]):[[BR]]
 > Add support to the win32 installer to check the sha1sum of the
 downloaded GTK
 > Bundle and debug symbols.  Refs #15277
 >
 >  * To make this worthwhile, the download redirection URL (which also
 >    serves the sha1sums) now uses https.
 >  * This uses a custom NSIS plugin (distributed, along with its source in
 the
 >    Pidgin installer deps) to do the sha1sum calculation on the
 downloaded
 >    resources.  The plugin is based on the win32 sha1sum implementation
 by
 >    Werner Koch (http://lists.gnupg.org/pipermail/gnupg-
 announce/2004q4/000184.html).


 This is a good start - thanks for making it happen Daniel.

 I wonder - would it be possible to make a very small stub installer that
 embeds all of the sha1sum hashes into it and fetches everything as
 expected? If so, putting that up on a secure download page seems like an
 absolute win for everyone.

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15277#comment:9>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list