I was looking though the pending messages from non-members to devel after I noticed another non-spam message and saw this one had been waiting since January 2nd. I let it through without looking if it was still relevant.
Thijs > On 3 feb. 2016, at 16:01, Christopher Forsythe <ch...@growl.info> wrote: > > Did you bother to look at the ticket you linked to prior to sending this? > > On Sat, Jan 2, 2016 at 8:30 AM, Dionysis Zindros <diony...@gmail.com> wrote: > Dear list, > > Adium's default download provider is still SourceForge. This is > unacceptable and we should be moving away from SourceForge > immediately, as it harms the security of our users. SourceForge is > refusing to implement TLS support after numerous attempts to convince > them. > > This important ticket [0] has been left open an unanswered for 5 months. The > SourceForge download is criminal negligence in a world where Adium is used > for OTR conversations among people in need for extensive security such as > activists and journalists. SourceForge's missing TLS support and conscious > refusal to implement authenticity mechanisms after repeated requests at it > constitutes an indication that they are unaware of best security practices > and maliciously acting against their users. > > We must give users the option to use the policy they prefer when they > download Adium: Either HTTPS or a GPG-based verification. However, the > default should be sane, and binary downloads via unauthenticated HTTP are > not. > > This is unacceptable for a security project such as Adium. We must pursue > this further and switch the download source to GitHub or some other > trusted source urgently. > > Best, > Dionysis. > > [0] https://trac.adium.im/ticket/16929 > > > > > -- > Chris Forsythe
signature.asc
Description: Message signed with OpenPGP using GPGMail
