Dear list, Adium's default download provider is still SourceForge. This is unacceptable and we should be moving away from SourceForge immediately, as it harms the security of our users. SourceForge is refusing to implement TLS support after numerous attempts to convince them.
This important ticket [0] has been left open an unanswered for 5 months. The SourceForge download is criminal negligence in a world where Adium is used for OTR conversations among people in need for extensive security such as activists and journalists. SourceForge's missing TLS support and conscious refusal to implement authenticity mechanisms after repeated requests at it constitutes an indication that they are unaware of best security practices and maliciously acting against their users. We must give users the option to use the policy they prefer when they download Adium: Either HTTPS or a GPG-based verification. However, the default should be sane, and binary downloads via unauthenticated HTTP are not. This is unacceptable for a security project such as Adium. We must pursue this further and switch the download source to GitHub or some other trusted source urgently. Best, Dionysis. [0] https://trac.adium.im/ticket/16929
