[OS X Emacs] many thanks and two website security questions
treese at acm.org
Fri Dec 13 20:54:54 EST 2019
Sandy (and others),
Thanks for the comments on this. You’re right, it’s 2019, and we should be using TLS on the site.
There’s actually been some work going on the background to update the site, and TLS will be enabled on the new one. I hope that we cut over to it in January.
For those interested in web details: the actual download on the DMG is done over TLS, since it is served from GitHub. This is essentially invisible, however, because it’s done through a redirect. But the redirect, and the current aquamacs.org site, do not use TLS at the moment.
As John pointed out, the downloaded DMG is signed using Apple’s machinery. I don’t think gpg would add anything to that, but I’m happy to hear discussion about whether and how it can be improved. At the moment, the nightly builds are not signed. (Actually, at the moment, the nightly builds aren’t happening, as the machine that does it is in transition from David to me!). Changing that isn’t a high priority at the moment, but, as always, community input is welcome.
treese at acm.org
> On Dec 12, 2019, at 2:35 AM, Sandy C <windoverwater at gmail.com> wrote:
> Good to know that the download is secure (Chrome and Little Snitch both show https), but if the download link is not secure, well ...
> And it is good to be reminded about the verification on Apple's side. So having asked, I feel more comfortable with the download, but not sure how non tech aquamacs users will feel about the non https website.
> I guess I was thinking that the attack surface could be tidied up a bit given that it is almost 2020 :-/
> No need to reply / keep the thread going. Appreciate the time. Thanks!
>> On Dec 11, 2019, at 12:38 PM, John Wroclawski <jtw at csail.mit.edu> wrote:
>> It’s also worth keeping in mind that the executable is signed by an apple developer certificate as part of the creation process, and the signature verified each time the program is first run on a new machine. David knows this because in 3.5 it’s his certificate that signed it :).
>> I was wondering whether the signature covered all of the distributed lisp files as well - emacs could be a slightly interesting case for Apple codesigning, and there’s room for either answer - but on very quick look it seems that it does. Whoever built the distributed version could probably comment further..
>> So I’d never particularly want to argue against a secured distribution channel, but it’s not clear that it’s terribly critical here either - there’s a good mechanism in place to verify the distributed program in any case.
>> cheers, -john
>>> On Dec 11, 2019, at 2:50 AM, David Reitter <david.reitter at gmail.com> wrote:
>>> Can you check how the .dmg does actually get downloaded? I believe it’s https. From Github.
>>> On Dec 11, 2019, 03:14 -0500, Sandy C <windoverwater at gmail.com>, wrote:
>>>> Thanks for all the work - aquamacs is a great MacOS app.
>>>> Regarding the http://aquamacs.org website, would it be possible to supply some type of verification on the download file?
>> MacOSX-Emacs mailing list
>> MacOSX-Emacs at email.esm.psu.edu
>> List Archives: http://dir.gmane.org/gmane.emacs.macintosh.osx
> MacOSX-Emacs mailing list
> MacOSX-Emacs at email.esm.psu.edu
> List Archives: http://dir.gmane.org/gmane.emacs.macintosh.osx
More information about the MacOSX-Emacs