On Wed, 2015-10-14 at 08:45 -0700, Jeremy Huddleston Sequoia wrote: > > I'm not sure I'm a fan of this change? ATS looks to be new in 10.11, > > so this might not be a change in behavior in a strict sense, but the > > SSL cert for www.macosforge.org seems to be valid for > > xquartz.macosforge.org and xquartz-dl.macosforge.org so I'm not sure > > why you'd need to turn it off. What's the story here? > > We don't really care about the security of the transport itself. No > confidential data is sent from the user's machine during the update > process. Sparkle validates the downloaded update was signed by my > sparkle key, and the installer verifies that the contained package > was installed by my app developer key.
That sounds fine, was just concerned that you could end up with a subverted binary getting installed, but the signature process sounds like it's assurance enough. Thanks for the explanation. Merged: To ssh://git.freedesktop.org/git/xorg/xserver 880d4e7..4513f92 master -> master - ajax _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel