Verification key and installer hosted in the same place #5474
Assignees
Labels
💡 enhancement
This issue describes an improvement, enhancement, or feature request for OpenShot
Comments
Synteek
added
the
💡 enhancement
|
+1 for proper security. |
|
Thanks for the suggestion. The only issue is I am the only developer with write access to the OpenShot repos. We have had security issues in the past from other contributors pushing code. While I could move the shasum to a different website (i.e. openshot.org), I'm not sure that really mitigates the threat mentioned here. I will do some research into this. Thanks for the suggestion! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the new feature:
Currently, OpenShot Installer and shasum verification are hosted on the same service, under the same repository/user.
Latest as of this request:
github.com/OpenShot/openshot-qt/releases/download/v3.1.1/OpenShot-v3.1.1-x86_64.exe
github.com/OpenShot/openshot-qt/releases/download/v3.1.1/OpenShot-v3.1.1-x86_64.exe.sha256sum.verify
Describe the solution you'd like:
The shasum should be hosted elsewhere, or at least under a different major contributor's account than yours @jonoomph
The text was updated successfully, but these errors were encountered: