ANNOUNCE: xfce4-terminal 0.8.2 released

Andrzej ndrw.xf at
Sun Jan 1 19:49:34 CET 2017

> I am sorry but those are message digest and no signatures. And since
> they are downloaded via http they proof nothing. It is a high risk for
> our users that we need to download the xfce sources over an insecure
> channel and cannot verify their authenticity.
> Please fix this serious security issue.

At the moment the only other option is to pull a tagged revision 
directly from and generate your own tarball by running 
" <options>; make distcheck" yourself.

Cryptographic checksums are an adequate solution (they are generated and 
uploaded by the maintainer of each component), provided that their 
authenticity can be verified. We do not plan changing our release system.

I do agree with you that http is a bad channel for distributing tarballs 
and checksums. I will check if we can use https for it like we do for 
most other subdomains.


More information about the Xfce mailing list