Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Does SourceTree really download embedded Mercurial over non-encrypted channel?

Soren Dreijer
Soren Dreijer
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 29, 2014

Hi there,

I just installed SourceTree and it asked me whether I'd like to use an embedded version of Mercurial or if I'd like to download it manually. I chose the former because I'm lazy, but as far as I could tell from the download dialog, Mercurial was actually downloaded over a non-encrypted channel.

Is that really true?

Answer
Watch
Like Be the first to like this
474 views

2 answers

0 votes
Soren Dreijer
Soren Dreijer
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 29, 2014

It matters because SourceTree could be downloading arbitrary data from the Internet without verifying the source. For instance, I could be at a coffee shop or conference where I don't control my connection to the Internet and a malicious user could be feeding me a bad package.

It's like saying we should have strict security at the airport and prevent people from bringing water bottles into the terminal, but also that we don't really care to screen any of the vendors selling water bottles inside the terminal...

To top this off, imagine I had just installed SourceTree via the provided installer and that SourceTree had subsequently been launched by that installer. The installer probably ran as Administrator on my machine, so unless the SourceTree devs were extra careful, this means SourceTree will now shell out to the downloaded Mercurial binaries with Administrator privileges. You can probably see why that's bad if the package didn't actually come from Atlassian's servers. :)

Reply
0 votes
Seth
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 29, 2014

It may be true. Why does it matter? I don't think Mercurial's executbles and libraries contain any of your sensitive or private information.

Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
AUG Leaders

Atlassian Community Events

    See all events