[TYPO3-core] Distribution infrastructure

Christian Kuhn lolli at schwarzbu.ch
Tue Apr 28 12:39:39 CEST 2015


On 29.03.2015 18:44, Jost Baron wrote:
> 1) It's not secured in any way, plain HTTP. And it is done via
> SourceForge, which is known for inserting stuff into downloaders (see
> [1]). They probably don't do it for TYPO3, but it's still worrying me.
> It is of course a good idea to check the hash sums after downloads, but
> I forget that more often than not.

The 'auto updater' of the install tool does the checksum comparison and 
the reference value is fetched from get.typo3.org via https.

But yes, proper package signing is a topic that should be tackled.


More information about the TYPO3-team-core mailing list