Closed ptomato closed 1 year ago
You should not be bundling Package Control with Sublime Text. There is a reason Sublime HQ doesn't ship Package Control by default, and that is because it opts people in to network communication. We'd prefer a user opt-in by installing Package Control.
There is a convenience method in Sublime Text in the command palette that allows someone to trivially install Package Control, and it uses a elliptic curve signing key to make sure the package file is released by me.
Just for the record, the signature file lives at https://packagecontrol.io/Package%20Control.sublime-package.sig.
It is an ECDSA signature. The public key is maintained in the Sublime Text release in the Packages/Default.sublime-package/install_package_control.py
file.
We are trying to include Package Control by default in the unofficial Sublime Text installer on Flathub but it seems that the file at https://packagecontrol.io/Package%20Control.sublime-package changed with the release of 3.4.0 and 3.4.1, while keeping the same name and URL. This breaks the installer, as it can no longer verify (by checksum) that the downloaded file has not been tampered with.
Would it be possible to include the Package Control version number in the download URL? Or provide an alternate versioned URL for each individual version, or maybe attach the .sublime-package file to each release on GitHub? That way, we would have some time to update the link in the Flathub installer whenever a new version of Package Control is released, without the installer being broken in the meantime.