Release Checksum - improper method employed

laurent22 / joplin

Joplin - the privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS.

https://joplinapp.org

Other

46.25k stars 5.03k forks source link

Release Checksum - improper method employed #11249

Open scottfurry opened 1 month ago

scottfurry commented 1 month ago

Operating system

macOS

Joplin version

gt or eql 3.1.15

Desktop version info

No response

Current behaviour

Current Stable Releases uses a Windows blockfile to verify MacOS disk-image dmg.

Expected behaviour

Platform independent sha512sum file expected.

Logs

No response

laurent22 commented 1 month ago

Answered here: https://github.com/laurent22/joplin/pull/11252

scottfurry commented 1 month ago

From pull request:

Reason for the Change: The current build process relies on platform-specific mechanisms to verify the integrity of macOS .dmg files. This change provides a platform-independent solution by using a sha512sum checksum, improving security and ease of use for all users.

I believe the rational is valid and prudent. The .dmg can be manipulated. I have to disagree with the decision.

laurent22 commented 1 month ago

The .dmg can be manipulated

Yes it can - but then it won't be allowed to run. So I'm not seeing any problem here. Also, again, we already publish a hash in latest-mac.yml. It's unclear why this is not enough