[PULL] XQuartz update for ATS allowance of our Sparkle feed and updated menu bar height logic

Jeremy Huddleston Sequoia jeremyhu at apple.com
Wed Oct 14 08:45:17 PDT 2015

> On Oct 14, 2015, at 06:32, Adam Jackson <ajax at nwnk.net> wrote:
> On Wed, 2015-10-14 at 00:40 -0700, Jeremy Huddleston Sequoia wrote:
>>      XQuartz: Relax App Transport Security for communicating with the update server
> I'm not sure I'm a fan of this change?  ATS looks to be new in 10.11,
> so this might not be a change in behavior in a strict sense, but the
> SSL cert for www.macosforge.org seems to be valid for
> xquartz.macosforge.org and xquartz-dl.macosforge.org so I'm not sure
> why you'd need to turn it off.  What's the story here?

We don't really care about the security of the transport itself.  No confidential data is sent from the user's machine during the update process.  Sparkle validates the downloaded update was signed by my sparkle key, and the installer verifies that the contained package was installed by my app developer key.

The main reason I don't just leave it alone and update the URL is that our wiki and years of instructions have left users having set this manually:
    defaults write org.macosforge.xquartz.X11 SUFeedURL http://xquartz.macosforge.org/downloads/sparkle/beta.xml

We could have some logic at startup to notice that and update it for them, but the easier path was to just relax ATS since we don't really benefit from it anyways.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4109 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20151014/abc22f24/attachment.bin>

More information about the xorg-devel mailing list