Ah in that case my apologies. On Wed, Feb 3, 2016 at 9:12 AM, Thijs Alkemade <m...@thijsalkema.de> wrote:
> I was looking though the pending messages from non-members to devel after I > noticed another non-spam message and saw this one had been waiting since > January 2nd. I let it through without looking if it was still relevant. > > Thijs > > > On 3 feb. 2016, at 16:01, Christopher Forsythe <ch...@growl.info> wrote: > > > > Did you bother to look at the ticket you linked to prior to sending this? > > > > On Sat, Jan 2, 2016 at 8:30 AM, Dionysis Zindros <diony...@gmail.com> > wrote: > > Dear list, > > > > Adium's default download provider is still SourceForge. This is > > unacceptable and we should be moving away from SourceForge > > immediately, as it harms the security of our users. SourceForge is > > refusing to implement TLS support after numerous attempts to convince > > them. > > > > This important ticket [0] has been left open an unanswered for 5 months. > The > > SourceForge download is criminal negligence in a world where Adium is > used > > for OTR conversations among people in need for extensive security such as > > activists and journalists. SourceForge's missing TLS support and > conscious > > refusal to implement authenticity mechanisms after repeated requests at > it > > constitutes an indication that they are unaware of best security > practices > > and maliciously acting against their users. > > > > We must give users the option to use the policy they prefer when they > > download Adium: Either HTTPS or a GPG-based verification. However, the > > default should be sane, and binary downloads via unauthenticated HTTP are > > not. > > > > This is unacceptable for a security project such as Adium. We must pursue > > this further and switch the download source to GitHub or some other > > trusted source urgently. > > > > Best, > > Dionysis. > > > > [0] https://trac.adium.im/ticket/16929 > > > > > > > > > > -- > > Chris Forsythe > > -- Chris Forsythe
