> On Oct 14, 2015, at 06:32, Adam Jackson <a...@nwnk.net> wrote: > > On Wed, 2015-10-14 at 00:40 -0700, Jeremy Huddleston Sequoia wrote: > >> XQuartz: Relax App Transport Security for communicating with the update >> server > > I'm not sure I'm a fan of this change? ATS looks to be new in 10.11, > so this might not be a change in behavior in a strict sense, but the > SSL cert for www.macosforge.org seems to be valid for > xquartz.macosforge.org and xquartz-dl.macosforge.org so I'm not sure > why you'd need to turn it off. What's the story here?
We don't really care about the security of the transport itself. No confidential data is sent from the user's machine during the update process. Sparkle validates the downloaded update was signed by my sparkle key, and the installer verifies that the contained package was installed by my app developer key. The main reason I don't just leave it alone and update the URL is that our wiki and years of instructions have left users having set this manually: defaults write org.macosforge.xquartz.X11 SUFeedURL http://xquartz.macosforge.org/downloads/sparkle/beta.xml We could have some logic at startup to notice that and update it for them, but the easier path was to just relax ATS since we don't really benefit from it anyways.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel