-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
iterm2-nightly download happens over HTTP even though the link is HTTPS, no checksum #5228
Comments
The HTTPS case should be fixed, yes. As for tagging nightlies, we don’t have the resources to update every nightly every day. Even if we had an automated system that did it, it’d need to be run every day multiple times a day to be sure it caught them all. Users that don’t want to take the risk of installing casks without a checksum can use the However, all that said, technically there is a way. If your build system tags nightlies and auto-submits a PR to us, it could be done. This is easier that it looks. By using There’s still the fact there’d need to be human intervention to actually merge the PR, but we’re usually pretty fast about it. We could try and see if it works. |
This all sounds very good, and I had no idea about the Seeing as I'm not an iTerm2 maintainer, you may want to suggest this at the issue I linked previously. However, let's open another issue on the main cask repo to prevent insecure HTTPS -> HTTP redirects on download urls? This looks to be a much bigger issue, probably not constrained to this cask only. |
I don’t have a gitlab account.
|
I guess @gnachman is active on Github as well, let us know how you feel about what @vitorgalvao proposed 😄 |
Would this be a proper command line?
FYI Gitlab lets you login with Github as your Oauth provider. |
This would make more sense
but it depends on the download URL. Let’s say a typical nightly download is The only thing that matters is that the download URL follows a predictable pattern where only a specific portion changes every time, and we’ll use that portion as the version. |
Commits 018a3faf and b00e8cc8 update the nightly build script to invoke cask-repair as requested. |
See the relevant issue on the iterm2 tracker: https://gitlab.com/gnachman/iterm2/issues/6495
On our side we could try tagging nightlies (https://www.iterm2.com/downloads/nightly/#/section/home), making sure the download link is HTTPS and hashing them as usual. Also use the linked page as appcast.
The text was updated successfully, but these errors were encountered: