[PULL] XQuartz update for ATS allowance of our Sparkle feed and updated menu bar height logic

Adam Jackson ajax at nwnk.net
Wed Oct 14 12:56:32 PDT 2015

On Wed, 2015-10-14 at 08:45 -0700, Jeremy Huddleston Sequoia wrote:

> > I'm not sure I'm a fan of this change?  ATS looks to be new in 10.11,
> > so this might not be a change in behavior in a strict sense, but the
> > SSL cert for www.macosforge.org seems to be valid for
> > xquartz.macosforge.org and xquartz-dl.macosforge.org so I'm not sure
> > why you'd need to turn it off.  What's the story here?
> We don't really care about the security of the transport itself.  No
> confidential data is sent from the user's machine during the update
> process.  Sparkle validates the downloaded update was signed by my
> sparkle key, and the installer verifies that the contained package
> was installed by my app developer key.

That sounds fine, was just concerned that you could end up with a
subverted binary getting installed, but the signature process sounds
like it's assurance enough.  Thanks for the explanation.


To ssh://git.freedesktop.org/git/xorg/xserver
   880d4e7..4513f92  master -> master

- ajax

More information about the xorg-devel mailing list