Discussion:
Moving away from SourceForge
Dionysis Zindros
2016-01-02 14:30:20 UTC
Permalink
Dear list,

Adium's default download provider is still SourceForge. This is
unacceptable and we should be moving away from SourceForge
immediately, as it harms the security of our users. SourceForge is
refusing to implement TLS support after numerous attempts to convince
them.

This important ticket [0] has been left open an unanswered for 5 months. The
SourceForge download is criminal negligence in a world where Adium is used
for OTR conversations among people in need for extensive security such as
activists and journalists. SourceForge's missing TLS support and conscious
refusal to implement authenticity mechanisms after repeated requests at it
constitutes an indication that they are unaware of best security practices
and maliciously acting against their users.

We must give users the option to use the policy they prefer when they
download Adium: Either HTTPS or a GPG-based verification. However, the
default should be sane, and binary downloads via unauthenticated HTTP are
not.

This is unacceptable for a security project such as Adium. We must pursue
this further and switch the download source to GitHub or some other
trusted source urgently.

Best,
Dionysis.

[0] https://trac.adium.im/ticket/16929
Christopher Forsythe
2016-02-03 15:01:58 UTC
Permalink
Did you bother to look at the ticket you linked to prior to sending this?
Post by Dionysis Zindros
Dear list,
Adium's default download provider is still SourceForge. This is
unacceptable and we should be moving away from SourceForge
immediately, as it harms the security of our users. SourceForge is
refusing to implement TLS support after numerous attempts to convince
them.
This important ticket [0] has been left open an unanswered for 5 months. The
SourceForge download is criminal negligence in a world where Adium is used
for OTR conversations among people in need for extensive security such as
activists and journalists. SourceForge's missing TLS support and conscious
refusal to implement authenticity mechanisms after repeated requests at it
constitutes an indication that they are unaware of best security practices
and maliciously acting against their users.
We must give users the option to use the policy they prefer when they
download Adium: Either HTTPS or a GPG-based verification. However, the
default should be sane, and binary downloads via unauthenticated HTTP are
not.
This is unacceptable for a security project such as Adium. We must pursue
this further and switch the download source to GitHub or some other
trusted source urgently.
Best,
Dionysis.
[0] https://trac.adium.im/ticket/16929
--
Chris Forsythe
Thijs Alkemade
2016-02-03 15:12:24 UTC
Permalink
I was looking though the pending messages from non-members to devel after I
noticed another non-spam message and saw this one had been waiting since
January 2nd. I let it through without looking if it was still relevant.

Thijs
Post by Christopher Forsythe
Did you bother to look at the ticket you linked to prior to sending this?
Dear list,
Adium's default download provider is still SourceForge. This is
unacceptable and we should be moving away from SourceForge
immediately, as it harms the security of our users. SourceForge is
refusing to implement TLS support after numerous attempts to convince
them.
This important ticket [0] has been left open an unanswered for 5 months. The
SourceForge download is criminal negligence in a world where Adium is used
for OTR conversations among people in need for extensive security such as
activists and journalists. SourceForge's missing TLS support and conscious
refusal to implement authenticity mechanisms after repeated requests at it
constitutes an indication that they are unaware of best security practices
and maliciously acting against their users.
We must give users the option to use the policy they prefer when they
download Adium: Either HTTPS or a GPG-based verification. However, the
default should be sane, and binary downloads via unauthenticated HTTP are
not.
This is unacceptable for a security project such as Adium. We must pursue
this further and switch the download source to GitHub or some other
trusted source urgently.
Best,
Dionysis.
[0] https://trac.adium.im/ticket/16929
--
Chris Forsythe
Christopher Forsythe
2016-02-03 15:19:37 UTC
Permalink
Ah in that case my apologies.
Post by Thijs Alkemade
I was looking though the pending messages from non-members to devel after I
noticed another non-spam message and saw this one had been waiting since
January 2nd. I let it through without looking if it was still relevant.
Thijs
Post by Christopher Forsythe
Did you bother to look at the ticket you linked to prior to sending this?
Dear list,
Adium's default download provider is still SourceForge. This is
unacceptable and we should be moving away from SourceForge
immediately, as it harms the security of our users. SourceForge is
refusing to implement TLS support after numerous attempts to convince
them.
This important ticket [0] has been left open an unanswered for 5 months.
The
Post by Christopher Forsythe
SourceForge download is criminal negligence in a world where Adium is
used
Post by Christopher Forsythe
for OTR conversations among people in need for extensive security such as
activists and journalists. SourceForge's missing TLS support and
conscious
Post by Christopher Forsythe
refusal to implement authenticity mechanisms after repeated requests at
it
Post by Christopher Forsythe
constitutes an indication that they are unaware of best security
practices
Post by Christopher Forsythe
and maliciously acting against their users.
We must give users the option to use the policy they prefer when they
download Adium: Either HTTPS or a GPG-based verification. However, the
default should be sane, and binary downloads via unauthenticated HTTP are
not.
This is unacceptable for a security project such as Adium. We must pursue
this further and switch the download source to GitHub or some other
trusted source urgently.
Best,
Dionysis.
[0] https://trac.adium.im/ticket/16929
--
Chris Forsythe
--
Chris Forsythe
Loading...