Sparkle needs to be updated so that your updates are validated correctly. Currently, updates happen over HTTP, which could allow an attacker to MITM the update and therefore provide malware instead.
The updates are validates using the signature. So this can not happen.
We cannot update to a later Sparkle version, as Skim supports 10.6, and the latest Sparkle requires 10.7.
(A newer Sparkle version won't change that SF.net uses http.)
And be aware that we use a patched version of the the old Sparkle, to take care of security vulnerabilities, inclduing the ones you mention.
Log in to post a comment.
The updates are validates using the signature. So this can not happen.
We cannot update to a later Sparkle version, as Skim supports 10.6, and the latest Sparkle requires 10.7.
(A newer Sparkle version won't change that SF.net uses http.)
And be aware that we use a patched version of the the old Sparkle, to take care of security vulnerabilities, inclduing the ones you mention.