Put releases on GitHub about jstoolnpp HOT 6 CLOSED

JSToolNpp download is at SourceForge.net, and Notepad++ plugin manager will check MD5 (both zip file and dll file) when install JSToolNpp.

from jstoolnpp.

download is at SourceForge.net

sourceforge is not available over https and also known to be inserting malware into binaries

check MD5

1 MD5 is not a replacement for a digital signature made using secure algorithms (the most widely used ones for a TDF are RSA, DSA and ECDSA and SHA256 - SHA384 for a hash function) and sufficient key length (2048 minimum in the case of RSA).
2 it even insecure to use MD5 as a part of digital signature scheme

from jstoolnpp.

Hi, KOLANICH

Your site lacks https, which means that anyone can inject malicious code into the binaries.

I just say that download site is not mine, if you think download from sourceforget.net is not secure, you may ask sf.net to support https. There are lots of softwares available on sf.net, I think it is enough for my project.

So I suggest you to put releases on GitHub and sign every with gpg

I cannot see it is necessary, Notepad++ has done some security check (MD5 is not secure enough you may thought), and my project is open source, you can even build it by your self which is very easy.

from jstoolnpp.

I just say that download site is not mine
OK

There are lots of softwares available on sf.net, I think it is enough for my project.
I don't think it is secure enough to download executables from SF.

I cannot see it is necessary, Notepad++ has done some security check (MD5 is not secure enough you may thought),

this check is calculating MD5 and sending it to the owner (http://npppluginmgr.sourceforge.net/app/validate.php?md5=) and getting the result.

As you see the channel is insecure and it worth nothing to replace also the result of the check.

my project is open source, you can even build it by your self which is very easy.

Of course I can. But Plugin Manager cannot.

from jstoolnpp.

I don't know how to make you understand my point, maybe my English is too poor.

Let me say my point in this way: if you think http traffic is not secure in your network environment, I think my plugin's download url is still the last thing to worry about. I cannot see moving to https will make this kind of situation better.

And if someone thought the JSToolNpp he/she downloaded is not the correct one, he/she can validate easily or even build it self easily.

SourceForge.net is a widely used and widely available download site which I used to host JSMinNpp download for 5 years. I've tried Google code, but you know what happened now. Github download is not 100% accessible in China where about 10% JSToolNpp downloads come from.

So from my point of view, SourceForge.net is still a better place to host download than Github today. Things may change later, then I'll consider move download to other place.

from jstoolnpp.

Let me say my point in this way: if you think http traffic is not secure in your network environment

This is exactly the case HTTPS was made for.

I think my plugin's download url is still the last thing to worry about.

It is not the reason not to use https.

I cannot see moving to https will make this kind of situation better.

It depends on threat model.

Github download is not 100% accessible in China where about 10% JSToolNpp downloads come from.

You can mirror the files to SF. If you use some scripts to upload the build to sf, you can add uploading to gh quite easily. Also I think git lfs can suit for this, I'll contact GH support.

from jstoolnpp.