Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: email@hidden
- Date: Wed, 10 Feb 2016 21:58:19 +0900
An app could also have plugins or embedded frameworks that have distinct Sparkle updaters.
Sent from my iPhone
> On Feb 10, 2016, at 9:39 PM, email@hidden wrote:
>
> You can do that in the terminal, I found this terminal command online:
>
> find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
> -F'.' '{print $1}'
>
> This returns:
> Cornerstone
> Sequel Pro
>
> on my Mac Book Pro...
>
> Important note: I did not come up with this myself and was a bit nervous
> running it in the terminal.
>
> Any Linux guru's on this list that can say whether the above command is OK
> to run in all circumstances?
>
>
>
>
>>
>> On 10 Feb 2016, at 13:59, email@hidden wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>>
>>
>> On 10 Feb 2016, at 13:59, email@hidden wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>>
>>
>> I was thinking of writing a script for this, checking for SUFeedURL for
>> every .app bundle, but
>>
>> i. is there already an easy way to check which apps use Sparkle?
>>
>> ii. I donât see an easy way for users to tell what version of Sparkle is
>> installed in an app.Â
>> Does anyone know where the Sparkle version number is hidden in the bundle?
>>
>> ii. given what Roland and Ken both say downthread, vis:
>>
>> If the release notes are via a separate URL and that URL is HTTP rather
>> than HTTPS, then the attacker can spoof it
>>
>> it looks like just checking the SUFeedURL for http or https wonât be
>> enough to determine if the app is safe for any app running older versions
>> than Sparkle 1.13. Of course, we should all update to the latest version,
>> but I have one app that has to be 10.6 compatible and that canât use
>> anything but an  ***old*** version of Sparkle. The app cast and release
>> notes are both https so Iâm assuming this is secure (at least regarding
>> this particular issueâ¦).Â
>>
>>
>>
>> Best
>>
>>
>> Phil
>> _______________________________________________
>>
>> Cocoa-dev mailing list (email@hidden)
>>
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>>
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden