ANNOUNCE: xfce4-terminal 0.8.2 released

NicoHood archlinux at nicohood.de
Sun Jan 1 18:59:06 CET 2017


On 01/01/2017 05:50 PM, Andrzej wrote:
> On 30/12/16 21:49, NicoHood wrote:
>> On 12/30/2016 03:52 PM, Igor wrote:
>>> xfce4-terminal 0.8.2 is now available for download from
>>>      
>>> http://archive.xfce.org/src/apps/xfce4-terminal/0.8/xfce4-terminal-0.8.2.tar.bz2
>>>
>>>   
>>> http://archive.xfce.org/src/apps/xfce4-terminal/0.8/xfce4-terminal-0.8.2.tar.bz2.md5
>>>
>>>   
>>> http://archive.xfce.org/src/apps/xfce4-terminal/0.8/xfce4-terminal-0.8.2.tar.bz2.sha1
>>>
>>>   
>>> http://archive.xfce.org/src/apps/xfce4-terminal/0.8/xfce4-terminal-0.8.2.tar.bz2.sha256
>>>
>>>
>> Igor,
>> can you please also upload a GPG signature of your sources?
>> Https download mirrors would also be of high importance, otherwise there
>> is not a single authentication for the downloads.
> 
> There is no plan of supporting signatures other than md5, sha1 and
> sha256 (links above). The release system produces them in these three
> formats only and changing it has a negative priority (that is, while it
> works, we are better off not touching it).
> 
> Andrzej
> 
> 
> 
> _______________________________________________
> Xfce mailing list
> Xfce at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce
> http://www.xfce.org

Hello Andrzey,
I am sorry but those are message digest and no signatures. And since
they are downloaded via http they proof nothing. It is a high risk for
our users that we need to download the xfce sources over an insecure
channel and cannot verify their authenticity.

Please fix this serious security issue.

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.xfce.org/pipermail/xfce/attachments/20170101/f5967c4d/attachment.sig>


More information about the Xfce mailing list