Sandboxing about catch HOT 7 OPEN

Well that's the cool part, the effort is almost zero. As soon as a version of Sparkle compatible with sandboxing comes out, we just need to update to it and flip the sandboxing switch. No code changes needed in Catch.

We're already mostly covered because the feed checker service inside Catch is sandboxed - it only has outgoing network access + temporary access to the download folder that is passed from the main app. The feed checker service is the most vulnerable part of the app as it's exposed to data coming from the network and contains a parser. So if it is compromised, it can't change any files outside the download folder or start a server (among other things).

But the service does have a backchannel to the main app. So it'd be nice if the main app had no privileges at all. All it needs is access to the download folder, which is granted via powerbox. So even if someone could manage to forge a malicious feed which would cause the main app to misbehave, it would be mostly harmless.

Long story short, we wait on Sparkle and then we get extra security for free :)

from catch.

No need to apologize, it was a legitimate question :)

from catch.

For reference, the status of Sparkle 2 (the sandboxing release) is tracked at sparkle-project/Sparkle#1523

from catch.

Why do you want the app to be sandboxed? The only advantage I can think of is submitting it to the MAS, but Apple doesn't accept any apps related to torrents.

from catch.

What about security? :)

from catch.

How much would Sandboxing affect security for an app like Catch? Personally I don't think its worth the effort.

from catch.

Whelp. The Transmission ransomeware shit is now making me push for Sandboxing. Sorry for questioning you mate. Keep up the good work!

from catch.