On Feb 9, 2016, at 17:53 , Graham Cox <graham....@bigpond.com> wrote: > > The appcast supplies the URL for the release notes, so that can be updated to > https without having to republish the app itself. That makes this a lot less > trouble than it seems.
Yes, but the appcast itself is vulnerable to separate attack, if your access to it is http. (Its URL is specified in the bundle plist.) >> Already updated to use https, but of course the problem is that in itself >> requires a Sparkle update… Yes, but it’s no worse a problem than the one you started with. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com