[TYPO3-core] Distribution infrastructure
Christian Kuhn
lolli at schwarzbu.ch
Tue Apr 28 12:39:39 CEST 2015
Hey.
On 29.03.2015 18:44, Jost Baron wrote:
> 1) It's not secured in any way, plain HTTP. And it is done via
> SourceForge, which is known for inserting stuff into downloaders (see
> [1]). They probably don't do it for TYPO3, but it's still worrying me.
>
> It is of course a good idea to check the hash sums after downloads, but
> I forget that more often than not.
The 'auto updater' of the install tool does the checksum comparison and
the reference value is fetched from get.typo3.org via https.
But yes, proper package signing is a topic that should be tackled.
Regards
Christian
More information about the TYPO3-team-core
mailing list