Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: sqwarqDev <email@hidden>
- Date: Wed, 10 Feb 2016 11:48:46 +0000 (GMT)
On 10 Feb 2016, at 13:59, email@hidden wrote:
tell them how they can find out which apps use
Sparkle??
On 10 Feb 2016, at 13:59, email@hidden wrote:
tell them how they can find out which apps use
Sparkle??
I was thinking of writing a script for this, checking for SUFeedURL for every .app bundle, but
i. is there already an easy way to check which apps use Sparkle?
ii. I don’t see an easy way for users to tell what version of Sparkle is installed in an app.
Does anyone know where the Sparkle version number is hidden in the bundle?
ii. given what Roland and Ken both say downthread, vis:
If the release notes are via a separate URL and that URL is HTTP rather than HTTPS, then the attacker can spoof it
it looks like just checking the SUFeedURL for http or https won’t be enough to determine if the app is safe for any app running older versions than Sparkle 1.13. Of course, we should all update to the latest version, but I have one app that has to be 10.6 compatible and that can’t use anything but an ***old*** version of Sparkle. The app cast and release notes are both https so I’m assuming this is secure (at least regarding this particular issue…).
Best
Phil
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden