Did you bother to look at the ticket you linked to prior to sending this? On Sat, Jan 2, 2016 at 8:30 AM, Dionysis Zindros <diony...@gmail.com> wrote:
> Dear list, > > Adium's default download provider is still SourceForge. This is > unacceptable and we should be moving away from SourceForge > immediately, as it harms the security of our users. SourceForge is > refusing to implement TLS support after numerous attempts to convince > them. > > This important ticket [0] has been left open an unanswered for 5 months. > The > SourceForge download is criminal negligence in a world where Adium is used > for OTR conversations among people in need for extensive security such as > activists and journalists. SourceForge's missing TLS support and conscious > refusal to implement authenticity mechanisms after repeated requests at it > constitutes an indication that they are unaware of best security practices > and maliciously acting against their users. > > We must give users the option to use the policy they prefer when they > download Adium: Either HTTPS or a GPG-based verification. However, the > default should be sane, and binary downloads via unauthenticated HTTP are > not. > > This is unacceptable for a security project such as Adium. We must pursue > this further and switch the download source to GitHub or some other > trusted source urgently. > > Best, > Dionysis. > > [0] https://trac.adium.im/ticket/16929 > > -- Chris Forsythe
