• Type: Suggestion
• Resolution: Unresolved
• Fix Version/s: None
• Component/s: Server - Upgrade Manager
• Labels:

  • affects-server
  • checksum
  • compliance
  • dmb-legacy-jac-none
  • download
  • loyalty
  • migrations&upgrades
  • no-cvss-required
  • not-80
  • sc
  • security

[CONFSERVER-25687] Provide sha256 checksums for downloads and Sign Windows installer package

Collapse comment: nataliawatanabe added a comment - 23/Sep/2020 1:41 PM

nataliawatanabe added a comment - 23/Sep/2020 1:41 PM

+1

Expand comment: nataliawatanabe added a comment - 23/Sep/2020 1:41 PM

nataliawatanabe added a comment - 23/Sep/2020 1:41 PM +1

Collapse comment: Kiran Srinivas (Inactive) added a comment - 25/Feb/2020 10:53 AM

Kiran Srinivas (Inactive) added a comment - 25/Feb/2020 10:53 AM

https://getsupport.atlassian.com/browse/GHS-179655 Another request from Jira customer

Expand comment: Kiran Srinivas (Inactive) added a comment - 25/Feb/2020 10:53 AM

Kiran Srinivas (Inactive) added a comment - 25/Feb/2020 10:53 AM https://getsupport.atlassian.com/browse/GHS-179655  Another request from Jira customer

Collapse comment: Amanda Morton added a comment - 03/Jul/2019 4:39 PM

Amanda Morton added a comment - 03/Jul/2019 4:39 PM

We are also getting pushback from our security on this issue on all of our instances. Please incorporate this feature. 

Best,

Amanda

Expand comment: Amanda Morton added a comment - 03/Jul/2019 4:39 PM

Amanda Morton added a comment - 03/Jul/2019 4:39 PM We are also getting pushback from our security on this issue on all of our instances. Please incorporate this feature.  Best, Amanda

Collapse comment: Gaj Umapathy added a comment - 03/May/2019 4:07 PM

Gaj Umapathy added a comment - 03/May/2019 4:07 PM

Atlassian,

We are being chased by security on this. Any update is appreciated.

 

Cheers,

Gaj

Expand comment: Gaj Umapathy added a comment - 03/May/2019 4:07 PM

Gaj Umapathy added a comment - 03/May/2019 4:07 PM Atlassian, We are being chased by security on this. Any update is appreciated.   Cheers, Gaj

Collapse comment: Funet CERT added a comment - 30/Jan/2019 8:57 AM

Funet CERT added a comment - 30/Jan/2019 8:57 AM

It is standard procedure to review checksums of any downloads before you install and use it. But as there is no checksums available you should not download or test these possible malisious products. There is none good reason not to provide the prove of authenticity. And even you might trust the Atlassian's end the downloaded package could get exploited or got br0ken in transit. This is not the way you should provide binaries for you customers. So sad.

Expand comment: Funet CERT added a comment - 30/Jan/2019 8:57 AM

Funet CERT added a comment - 30/Jan/2019 8:57 AM It is standard procedure to review checksums of any downloads before you install and use it. But as there is no checksums available you should not download or test these possible malisious products. There is none good reason not to provide the prove of authenticity. And even you might trust the Atlassian's end the downloaded package could get exploited or got br0ken in transit. This is not the way you should provide binaries for you customers. So sad.

Collapse comment: GÉANT IT added a comment - 24/Nov/2017 11:41 AM, Edited by GÉANT IT - 24/Nov/2017 11:41 AM

GÉANT IT added a comment - 24/Nov/2017 11:41 AM - edited

Hi I just noticed that the issue title has been changed so that it narrows down to "Sign Windows installer package" (not sure what that exactly means btw).
Please change it back as the issue does apply to ALL downloads.

THanks!

Expand comment: GÉANT IT added a comment - 24/Nov/2017 11:41 AM, Edited by GÉANT IT - 24/Nov/2017 11:41 AM

GÉANT IT added a comment - 24/Nov/2017 11:41 AM - edited Hi I just noticed that the issue title has been changed so that it narrows down to "Sign Windows installer package" (not sure what that exactly means btw). Please change it back as the issue does apply to ALL downloads. THanks!

Collapse comment: Adam Barnes (Inactive) added a comment - 27/Jul/2017 12:30 AM

Adam Barnes (Inactive) added a comment - 27/Jul/2017 12:30 AM

Hi all, just a quick update, this is something which we intend to address in the near future. Keep Watching for updates.

 

Expand comment: Adam Barnes (Inactive) added a comment - 27/Jul/2017 12:30 AM

Adam Barnes (Inactive) added a comment - 27/Jul/2017 12:30 AM Hi all, just a quick update, this is something which we intend to address in the near future. Keep Watching for updates.  

Collapse comment: Matjaž Antloga - BalkanCloud IT added a comment - 24/Jul/2017 8:56 PM

Matjaž Antloga - BalkanCloud IT added a comment - 24/Jul/2017 8:56 PM

100% agree with Stefan. 

 
Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads?
 

Expand comment: Matjaž Antloga - BalkanCloud IT added a comment - 24/Jul/2017 8:56 PM

Matjaž Antloga - BalkanCloud IT added a comment - 24/Jul/2017 8:56 PM 100% agree with Stefan.    Dear Atlassians, can you please stop ignoring your paying customers and  provide cryptographically signed downloads ?  

Collapse comment: Stefan added a comment - 03/May/2017 8:19 AM

Stefan added a comment - 03/May/2017 8:19 AM

This issue is 5 years old.

It seems no one is working on this. Does this issue get any attention from your side?

Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads?

Expand comment: Stefan added a comment - 03/May/2017 8:19 AM

Stefan added a comment - 03/May/2017 8:19 AM This issue is 5 years old . It seems no one is working on this. Does this issue get any attention from your side? Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads ?

Collapse comment: Vendor Support added a comment - 26/Apr/2017 8:12 PM

Vendor Support added a comment - 26/Apr/2017 8:12 PM

Wow, why no signed packages, or checksums at least?  Furthermore, I was hit by a double compression issue when downloading, with JIra and bitbucket.  Can you please fix your webserver?

 

"Meaning, if you downloaded this from a web server, sometimes Gzip compression get’s applied to web content on the server level to speed up content download. But if not properly set on the server to ignore already compressed content such as this, it can inadvertently double-Gzip files."

https://superuser.com/questions/841865/extracting-a-tar-gz-file-returns-this-does-not-look-like-a-tar-archive

Expand comment: Vendor Support added a comment - 26/Apr/2017 8:12 PM

Vendor Support added a comment - 26/Apr/2017 8:12 PM Wow, why no signed packages, or checksums at least?  Furthermore, I was hit by a double compression issue when downloading, with JIra and bitbucket.  Can you please fix your webserver?   " Meaning, if you downloaded this from a web server, sometimes Gzip compression get’s applied to web content on the server level to speed up content download. But if not properly set on the server to ignore already compressed content such as this, it can inadvertently double-Gzip files. " https://superuser.com/questions/841865/extracting-a-tar-gz-file-returns-this-does-not-look-like-a-tar-archive

Load more older comments