Security concerns for updates...

Submitted by Justin on Tue, 11/17/2009 - 05:32

Forums:

Support

Forum tags:

Linux

update

security

Very fine software.

I have an important security concern I'm hoping you can help solve.

Question 1:
How can I be sure the .xml updates are legitimate and from you,
what checks are in place? Is there a method to verify the updates via hash or key or otherwise?

Question 2:
Can I accept 'all' updates at once without having to click OK to each one?

Thank you much.
Justin

andrew

Tue, 11/17/2009 - 10:12

Permalink

SHA256 and GPG verification

Because MD5 sums are weak, for each release I upload the SHA256 hash instead to SourceForge, and I sign the hash using my GPG key .

Can I accept 'all' updates at once without having to click OK to each one?

Yes, BleachBit version 0.7.1 adds this enhancement.

---
Andrew, lead developer

Justin

Wed, 11/18/2009 - 06:59

Permalink

Thank you. I am refering to

Thank you.

I am refering to the update that occurs while using debian linux, from
within the program for the xml (new), not the hash sum for the entire program.

Are the .xml updates able to be verified when bleachbit adds new ones, or is it that
the .xml updates only come with a complete new program update (verified via sha256 & key). ?

I may not understand your response correctly, is the verification 'only' available for a
complete 'new' program update ?

Best regards,
Justin

andrew

Wed, 11/18/2009 - 08:22

Permalink

BleachBit is not Firefox in

BleachBit is not Firefox in the way Firefox can get extension updates any time, so the CleanerML (XML) updates only come with a new BleachBit application.

If you get BleachBit from the Debian repository
1. Debian should be verifying the software from me and then digitally signing the .deb package
2. You shouldn't see the security warning dialog. It shouldn't show for CleanerML files in /usr/share

---
Andrew, lead developer

Anonymous (not verified)

Sun, 11/20/2011 - 12:46

Permalink