Comments (6)
JSToolNpp download is at SourceForge.net, and Notepad++ plugin manager will check MD5 (both zip file and dll file) when install JSToolNpp.
from jstoolnpp.
download is at SourceForge.net
sourceforge is not available over https and also known to be inserting malware into binaries
check MD5
1 MD5 is not a replacement for a digital signature made using secure algorithms (the most widely used ones for a TDF are RSA, DSA and ECDSA and SHA256 - SHA384 for a hash function) and sufficient key length (2048 minimum in the case of RSA).
2 it even insecure to use MD5 as a part of digital signature scheme
from jstoolnpp.
Hi, KOLANICH
Your site lacks https, which means that anyone can inject malicious code into the binaries.
I just say that download site is not mine, if you think download from sourceforget.net is not secure, you may ask sf.net to support https. There are lots of softwares available on sf.net, I think it is enough for my project.
So I suggest you to put releases on GitHub and sign every with gpg
I cannot see it is necessary, Notepad++ has done some security check (MD5 is not secure enough you may thought), and my project is open source, you can even build it by your self which is very easy.
from jstoolnpp.
I just say that download site is not mine
OKThere are lots of softwares available on sf.net, I think it is enough for my project.
I don't think it is secure enough to download executables from SF.I cannot see it is necessary, Notepad++ has done some security check (MD5 is not secure enough you may thought),
this check is calculating MD5 and sending it to the owner (http://npppluginmgr.sourceforge.net/app/validate.php?md5=
) and getting the result.
As you see the channel is insecure and it worth nothing to replace also the result of the check.
my project is open source, you can even build it by your self which is very easy.
Of course I can. But Plugin Manager cannot.
from jstoolnpp.
I don't know how to make you understand my point, maybe my English is too poor.
Let me say my point in this way: if you think http traffic is not secure in your network environment, I think my plugin's download url is still the last thing to worry about. I cannot see moving to https will make this kind of situation better.
And if someone thought the JSToolNpp he/she downloaded is not the correct one, he/she can validate easily or even build it self easily.
SourceForge.net is a widely used and widely available download site which I used to host JSMinNpp download for 5 years. I've tried Google code, but you know what happened now. Github download is not 100% accessible in China where about 10% JSToolNpp downloads come from.
So from my point of view, SourceForge.net is still a better place to host download than Github today. Things may change later, then I'll consider move download to other place.
from jstoolnpp.
Let me say my point in this way: if you think http traffic is not secure in your network environment
This is exactly the case HTTPS was made for.
I think my plugin's download url is still the last thing to worry about.
It is not the reason not to use https.
I cannot see moving to https will make this kind of situation better.
It depends on threat model.
Github download is not 100% accessible in China where about 10% JSToolNpp downloads come from.
You can mirror the files to SF. If you use some scripts to upload the build to sf, you can add uploading to gh quite easily. Also I think git lfs can suit for this, I'll contact GH support.
from jstoolnpp.
Related Issues (20)
- Problem displaying large arrays HOT 4
- More toolbar icons, especially JSFormat HOT 1
- cannot access it in VS Code 1.72.2 HOT 2
- Jumping to proper location by selecting a node in tree view in multi-display PCs HOT 2
- [bug] AltGr + J blocks typing of "í" letter (HU) HOT 2
- Template literals format bug HOT 1
- Crash formatting JSON code HOT 1
- jstool插件移植到ndd/subtwo项目 HOT 1
- JSON style autoformat (JSFormat command) HOT 2
- Support for modern JS HOT 2
- Add an option in the Notepad++ menu to escape and unescape a JSON string HOT 1
- ROOT to $ HOT 2
- JSFormat bug in regular expression (Version 1.2307.1) HOT 1
- https://* format to http: //* HOT 1
- @Override format to _@ Override HOT 2
- Bitdefender detection of JSMinNPP.dll HOT 3
- Names with hyphens are separated HOT 2
- jsformat issue HOT 1
- Keyboard Shortcuts Should be configurable. HOT 1
- json viewer not visible? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jstoolnpp.