Update Sparkle Updater


#1

From what I can see, Taskpaper uses Sparkle version 1.11.0 for auto updates. Versions of Sparkle previous to 1.13.1 may be vulnerable to MITM attacks.

Is there a plan to update soon?


#2

Thanks for the note. I’ll update in the next preview release. I’m not sure… but I “think” the current release might already be safe because it’s using https when downloading the feed and and the DMGs.


#3

Thanks. Good to hear it’s already using HTTPS.

I said “may be vulnerable” because my understanding also, is that it’s not a problem if you’re using HTTPS.


#4

Nope, sorry. /Applications/TaskPaper.app - com.hogbaysoftware.TaskPaper.mac - http://www.hogbaysoftware.com/products/taskpaper/releases.rss

Checked it with a little Python script.
You might want to have another look.

Thanks.


#5

OK PEBCAK. Old TaskPaper has Sparkle problem, not this TaskPaper.


#6

Unfortunately TaskPaper 2 isn’t possible to update, at least not without a very big effort. Xcode, OS X, etc has passed it by and the project won’t build. Do you know if this bug can happen if no update is scheduled… TaskPaper 2 is end of life and there won’t be any additional updates. Does that generally make it safe?


#7

I’m not really an expert but I think that the issue is that you can feed someone a fake update. I think that feeding someone the data that an update is indeed available is the first step. The hard thing is obtaining TaskPaper source and create a version that succesfully behaves like TaskPaper in the first place unless one would be content to wreak havoc in some way.
I’m not sure. I think there is not an easy way out. How much effort do you think fixing up TP2 is?