[OS X Emacs] many thanks and two website security questions

Sandy C windoverwater at gmail.com
Thu Dec 12 02:35:16 EST 2019 

Thanks.

Good to know that the download is secure (Chrome and Little Snitch both show https), but if the download link is not secure, well ...

And it is good to be reminded about the verification on Apple's side.  So having asked, I feel more comfortable with the download, but not sure how non tech aquamacs users will feel about the non https website.

I guess I was thinking that the attack surface could be tidied up a bit given that it is almost 2020 :-/

No need to reply / keep the thread going.  Appreciate the time.  Thanks!

v/r,
-sandy

> On Dec 11, 2019, at 12:38 PM, John Wroclawski <jtw at csail.mit.edu> wrote:
> 
> It’s also worth keeping in mind that the executable is signed by an apple developer certificate as part of the creation process, and the signature verified each time the program is first run on a new machine. David knows this because in 3.5 it’s his certificate that signed it :).
> 
> I was wondering whether the signature covered all of the distributed lisp files as well - emacs could be a slightly interesting case for Apple codesigning, and there’s room for either answer - but on very quick look it seems that it does. Whoever built the distributed version could probably comment further..
> 
> So I’d never particularly want to argue against a secured distribution channel, but it’s not clear that it’s terribly critical here either - there’s a good mechanism in place to verify the distributed program in any case.
> 
> cheers, -john
> 
>> On Dec 11, 2019, at 2:50 AM, David Reitter <david.reitter at gmail.com> wrote:
>> 
>> Can you check how the .dmg does actually get downloaded?   I believe it’s https.  From Github. 
>> 
>> David
>> On Dec 11, 2019, 03:14 -0500, Sandy C <windoverwater at gmail.com>, wrote:
>>> Hi,
>>> 
>>> Thanks for all the work - aquamacs is a great MacOS app.
>>> 
>>> Regarding the http://aquamacs.org website, would it be possible to supply some type of verification on the download file?
> 
> 
> _____________________________________________________________
> MacOSX-Emacs mailing list
> MacOSX-Emacs at email.esm.psu.edu
> https://email.esm.psu.edu/mailman/listinfo/macosx-emacs
> List Archives: http://dir.gmane.org/gmane.emacs.macintosh.osx

More information about the MacOSX-Emacs mailing list