I just installed SourceTree and it asked me whether I'd like to use an embedded version of Mercurial or if I'd like to download it manually. I chose the former because I'm lazy, but as far as I could tell from the download dialog, Mercurial was actually downloaded over a non-encrypted channel.
Is that really true?
It matters because SourceTree could be downloading arbitrary data from the Internet without verifying the source. For instance, I could be at a coffee shop or conference where I don't control my connection to the Internet and a malicious user could be feeding me a bad package.
It's like saying we should have strict security at the airport and prevent people from bringing water bottles into the terminal, but also that we don't really care to screen any of the vendors selling water bottles inside the terminal...
To top this off, imagine I had just installed SourceTree via the provided installer and that SourceTree had subsequently been launched by that installer. The installer probably ran as Administrator on my machine, so unless the SourceTree devs were extra careful, this means SourceTree will now shell out to the downloaded Mercurial binaries with Administrator privileges. You can probably see why that's bad if the package didn't actually come from Atlassian's servers. :)
Supported Platforms macOS Windows To make using Sourcetree as simple yet powerful as possible we embed (bundle) dependencies such as Git, Git LFS, and Mercurial. We strive to keep these...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG