Re: Sparkle updater check vulnerability script
Re: Sparkle updater check vulnerability script
- Subject: Re: Sparkle updater check vulnerability script
- From: 2551phil <email@hidden>
- Date: Fri, 12 Feb 2016 10:13:17 +0700
Oops
I forgot a piece of the code.
Yes, I was about to post that 1.54 is missing out some apps on my system. Here is an enhanced one which analyse more deeply the use of appcast.
1.55 doesn’t work properly here. It’s throwing up things that are not insecure. I think that’s because the logic of the script in 1.54 and 1.55 has changed. An app shouldn’t be added to the ‘vulnerable’ variable simply because it doesn’t use 1.13.1. As I’ve repeatedly said, even 1.5b is safe if both the appcast and the release notes are https. As I also said early on, some apps will have to remain on 1.5b simply because they can’t update and maintain support for Snow Leopard.
Theoretically, one could get the appcast url and then call CURL on it via a do shell script and examine that for https/http calls to the release notes, but there’s a point where the work becomes greater than the potential threat (see Shane’s last post, which I agree with entirely).
For the time being I’m happy sticking with v1.52 of the script as that’s the most reliable and gives me a reasonable indicator of which apps need updating.
Best
Phil
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden