Y
Hacker News
new
|
ask
|
show
|
jobs
by
aftbit
1962 days ago
They have completely disabled issues on that repository. Wow I used to really like Signal...
1 comments
kelnos
1962 days ago
And it seems they've fixed the issue, without any kind of public comment.... still not great:
https://github.com/signalapp/Signal-TLS-Proxy/commit/39a97da...
link
kdunglas
1962 days ago
I (partially) fixed this issue, and I'm not affiliated in any way with Signal. It's public (
https://github.com/signalapp/Signal-TLS-Proxy/pull/2
), and it looks like they welcome contributions, because they merged mine.
link
cryo
1962 days ago
Wouldn't it be saner to also verify the downloaded archive hash? It looks like the domain resolving of nginx.org is trusted without doubt.
link
kdunglas
1961 days ago
Sure! I also opened another PR to check the archive signature:
https://github.com/signalapp/Signal-TLS-Proxy/pull/10
link
gspr
1962 days ago
Sorry for not noticing your PR before filing the bug.
I still find the way they (partially) dealt with this a bit worrisome.
link