Or, perhaps better, get involved and help out with the release process so that it becomes more secure.
I read on HN that in-app upgrades were not affected, only their website. If that’s true, sounds like better security surrounding their web / release process there is needed.
Last time this happened, there was never a proper post-mortem and the site was never brought offline. I don’t think they know how the previous compromise happened, nor that they did rebuild the compromised system.
If I had to guess, I would say that this second compromise is just the first attackers using their previously established foothold
You could create a fork that is just a vetted mirror of the repo, every commit would be reviewed by you or a team before being merged, you would have to build and supply your own releases from that source code though. There may be a project that does exactly this for transmission for mac already? For linux distros it is a bit simpler as you could probably rely on the distro doing the merging, reviewing and building for you?
Not a solution everyone, but: compile from source and run the open source client Deluge. I use Deluge on my RPi, which is my always-on NAS which also happens to support Torrenting thanks to Deluge :)
What concerns me most is the developers' response to this incident. They clearly haven’t patched their server since the first time.
I am a very happy transmission user on Linux but I can’t help thinking that for a piece of network software, the developers are not security conscious enough.
I can recommend Deluge, which is very simple, lightweight but also powerful and really stable. It has many useful features which can make your life easier and supports extensions.
The feature I like most about it is the nice WebUI which allows you to run a seedbox in your home network and control it completely remotely over your internal home network and even, if you dare an set a password for the interface, remote control it over the web. It’s a web-server after all.
Right then. All of us Mac users need to find a new BitTorrent client :)
(I don’t personally care THAT much - I use BT once in a blue moon to download Linux distros :)
Or, perhaps better, get involved and help out with the release process so that it becomes more secure.
I read on HN that in-app upgrades were not affected, only their website. If that’s true, sounds like better security surrounding their web / release process there is needed.
Why does this keep happening? Are they storing the key on the web server, then getting hacked?
Last time this happened, there was never a proper post-mortem and the site was never brought offline. I don’t think they know how the previous compromise happened, nor that they did rebuild the compromised system.
If I had to guess, I would say that this second compromise is just the first attackers using their previously established foothold
Unfortunately Transmission is just dead stupid simple, and I don’t want anything else.
Who wants to build a new bittorrent client?
You could create a fork that is just a vetted mirror of the repo, every commit would be reviewed by you or a team before being merged, you would have to build and supply your own releases from that source code though. There may be a project that does exactly this for transmission for mac already? For linux distros it is a bit simpler as you could probably rely on the distro doing the merging, reviewing and building for you?
Not a solution everyone, but: compile from source and run the open source client Deluge. I use Deluge on my RPi, which is my always-on NAS which also happens to support Torrenting thanks to Deluge :)
We had a thread on the previous incident.
What concerns me most is the developers' response to this incident. They clearly haven’t patched their server since the first time.
I am a very happy transmission user on Linux but I can’t help thinking that for a piece of network software, the developers are not security conscious enough.
I can recommend Deluge, which is very simple, lightweight but also powerful and really stable. It has many useful features which can make your life easier and supports extensions.
The feature I like most about it is the nice WebUI which allows you to run a seedbox in your home network and control it completely remotely over your internal home network and even, if you dare an set a password for the interface, remote control it over the web. It’s a web-server after all.
It is time to switch to something like Aria2.
They aren’t very responsive to multiple inquiries about the PGP key. They ignored request on the first hack as well. https://github.com/transmission/transmission/issues/16