[PULL] XQuartz update for ATS allowance of our Sparkle feed and updated menu bar height logic
Adam Jackson
ajax at nwnk.net
Wed Oct 14 12:56:32 PDT 2015
On Wed, 2015-10-14 at 08:45 -0700, Jeremy Huddleston Sequoia wrote:
> > I'm not sure I'm a fan of this change? ATS looks to be new in 10.11,
> > so this might not be a change in behavior in a strict sense, but the
> > SSL cert for www.macosforge.org seems to be valid for
> > xquartz.macosforge.org and xquartz-dl.macosforge.org so I'm not sure
> > why you'd need to turn it off. What's the story here?
>
> We don't really care about the security of the transport itself. No
> confidential data is sent from the user's machine during the update
> process. Sparkle validates the downloaded update was signed by my
> sparkle key, and the installer verifies that the contained package
> was installed by my app developer key.
That sounds fine, was just concerned that you could end up with a
subverted binary getting installed, but the signature process sounds
like it's assurance enough. Thanks for the explanation.
Merged:
To ssh://git.freedesktop.org/git/xorg/xserver
880d4e7..4513f92 master -> master
- ajax
More information about the xorg-devel
mailing list