ANNOUNCE: xfce4-terminal 0.8.2 released
Andrzej
ndrw.xf at kurumi.co.uk
Sun Jan 1 19:49:34 CET 2017
> I am sorry but those are message digest and no signatures. And since
> they are downloaded via http they proof nothing. It is a high risk for
> our users that we need to download the xfce sources over an insecure
> channel and cannot verify their authenticity.
>
> Please fix this serious security issue.
At the moment the only other option is to pull a tagged revision
directly from git.xfce.org and generate your own tarball by running
"autogen.sh <options>; make distcheck" yourself.
Cryptographic checksums are an adequate solution (they are generated and
uploaded by the maintainer of each component), provided that their
authenticity can be verified. We do not plan changing our release system.
I do agree with you that http is a bad channel for distributing tarballs
and checksums. I will check if we can use https for it like we do for
most other subdomains.
Andrzej
More information about the Xfce
mailing list