Does SourceTree really download embedded Mercurial over non-encrypted channel?

Soren Dreijer May 29, 2014

Hi there,

I just installed SourceTree and it asked me whether I'd like to use an embedded version of Mercurial or if I'd like to download it manually. I chose the former because I'm lazy, but as far as I could tell from the download dialog, Mercurial was actually downloaded over a non-encrypted channel.

Is that really true?

2 answers

0 votes
Soren Dreijer May 29, 2014

It matters because SourceTree could be downloading arbitrary data from the Internet without verifying the source. For instance, I could be at a coffee shop or conference where I don't control my connection to the Internet and a malicious user could be feeding me a bad package.

It's like saying we should have strict security at the airport and prevent people from bringing water bottles into the terminal, but also that we don't really care to screen any of the vendors selling water bottles inside the terminal...

To top this off, imagine I had just installed SourceTree via the provided installer and that SourceTree had subsequently been launched by that installer. The installer probably ran as Administrator on my machine, so unless the SourceTree devs were extra careful, this means SourceTree will now shell out to the downloaded Mercurial binaries with Administrator privileges. You can probably see why that's bad if the package didn't actually come from Atlassian's servers. :)

0 votes
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 29, 2014

It may be true. Why does it matter? I don't think Mercurial's executbles and libraries contain any of your sensitive or private information.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events