• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: email@hidden
  • Date: Wed, 10 Feb 2016 13:39:37 +0100
  • Importance: Normal
You can do that in the terminal, I found this terminal command online:

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'

This returns:
Cornerstone
Sequel Pro

on my Mac Book Pro...

Important note: I did not come up with this myself and was a bit nervous
running it in the terminal.

Any Linux guru's on this list that can say whether the above command is OK
to run in all circumstances?




>
> On 10 Feb 2016, at 13:59, email@hidden wrote:
> tell them how they can find out which apps use
> Sparkle??
>
>
> On 10 Feb 2016, at 13:59, email@hidden wrote:
> tell them how they can find out which apps use
> Sparkle??
>
>
> I was thinking of writing a script for this, checking for SUFeedURL for
> every .app bundle, but
>
> i. is there already an easy way to check which apps use Sparkle?
>
> ii. I don’t see an easy way for users to tell what version of Sparkle is
> installed in an app. 
> Does anyone know where the Sparkle version number is hidden in the bundle?
>
> ii. given what Roland and Ken both say downthread, vis:
>
> If the release notes are via a separate URL and that URL is HTTP rather
> than HTTPS, then the attacker can spoof it
>
> it looks like just checking the SUFeedURL for http or https won’t be
> enough to determine if the app is safe for any app running older versions
> than Sparkle 1.13. Of course, we should all update to the latest version,
> but I have one app that has to be 10.6 compatible and that can’t use
> anything but an  ***old*** version of Sparkle. The app cast and release
> notes are both https so I’m assuming this is secure (at least regarding
> this particular issue…). 
>
>
>
> Best
>
>
> Phil
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden

_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Sandor Szatmari <email@hidden>
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: email@hidden
References: 
 > Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: sqwarqDev <email@hidden>)

  • Prev by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread