PROBLEM:
Dolphin comes packed by 7zip, but to my knowledge, 7zip cannot be downloaded securely for Windows. The
7zip website does not use HTTPS, and there are no installer checksums available on any trustworthy website that does use HTTPS.
I came here to download and install Dolphin but didn't do it because it comes as a 7zip archive and I haven't found a way to install 7zip in a way that is up to modern security standards, I didn't install.
RECOMMENDED SOLUTION:
Provide an archive using a more standard format, e.g. zip or gz.
7-zip is open source so you can securely download the source, inspect it yourself, compile the source, and be on your way.
Alternatively, you can use WSL to give yourself a reproducible Linux environment in Win10 where you can download a 7zip extractor securely, and extract Dolphin that way.
Thanks for the reply. I'd like to add a couple of comments intended to illustrate the whole situation. I'm not trying to pick a fight.
Quote:7-zip is open source so you can securely download the source, inspect it yourself, compile the source, and be on your way.
That's true! But expecting a Dolphin user to understand the 7zip code, know how to build from source on Windows, and be willing to put in the time to review the 7zip code just to play with Dolphin seems unrealistic. I fall into the category of "could do that, but no way I'm going to spend the time". I expect most real life users don't even think about security and download 7zip from the 7zip website because that's the shortest route to a working emulator [a].
Quote:Alternatively, you can use WSL to give yourself a reproducible Linux environment in Win10 where you can download a 7zip extractor securely, and extract Dolphin that way.
That's a really good idea, thanks! That's probably what I'll do. FWIW it would be nice to have a gz package so I don't have to install a 7zip program in WSL. Of course, a very small fraction of your users will think of using WSL or even know it exists. Most users are going to continue using untrusted software, and others like me might just give up when they realize that the 7zip website doesn't use HTTPS.
Unpacking Dolphin should be easy and secure on any platform. Presently, unpacking on Windows is not. Releasing a zip would remove the problem for Windows, and releasing a gzip would make it easier on Linux.
Thanks again for the suggestion to use WSL.
[a] Or maybe they use WinZip, which has the exact same problem (website doesn't use HTTPS), or WinRAR if they don't mind the
Get WinRAR FREE with TrialPay part.
[b]
smashladder is releasing their own package in zip format.
There's a plenty of programs that can unpack .7z files, and this format produces smaller files than than .zip or .gz. If you're too paranoid to use 7-Zip just because there's no checksum available on their HTTP only website (lol), just get another program that can read them...
(02-26-2018, 05:53 AM)mbc07 Wrote: [ -> ]just get another program that can read them...
I'd be interested in your recommendations. I have not found one that is 1) hosted by a secure site, and 2) Doesn't involve ad shenanigans.
I just use 7-Zip, after all it was written by the creator of the format and is also open-source. However,
here's a non-exhaustive list of programs that can read 7z if you want to continue your pointless search. AFAICT WinRAR can also read 7z and it's hosted in a secure site, but it's shareware and will start showing you ads after the 40-day trial expires, unless you buy it...
mbc07, you've made your point loud and clear that you think this issue is dumb. Different people have differnet ideas about what is and isn't reasonable security practice on their systems. Thank you for your comments.
I'll just leave
this Chromium bug report here so you guys can get a feel for what the wider developer community thinks and what changes might be coming in browsers. Note in particular this part
[color=#000000]Dear all, consider that Turla Russian APT is exploiting techniques in delivering malware trough sophisticated MITM attacks.
They send legitimate Adobe Flash installer over HTTP, then inject it with malware trough MITM:
[color=#0000cc]https://www.darkreading.com/attacks-breaches/turla-cyberespionage-gang-employs-adobe-flash-installer/d/d-id/1330788[/color]
It becomes very relevant to moves on to block downloading of executable over HTTP channel.[/color]
I guess eventually would-be Dolphin users complain that they can't unpack the software because their browser prints a red warning. Maybe then enough people will harass 7zip, WinZip, and the other sites not using HTTPS that those sites will get their acts together.
Thanks for all your help.
It's not our problem if other software can't figure out LetsEncrypt.
In any case, I don't see a compelling reason to ditch 7zip.
Uncompressed dolphin folder - 55mb
zip - 22.4mb
LZMA (7z) - 12.6mb
Not to mention that zip is a mess of a format and LZMA/7z is actually both performant and reasonably clean of a format.
(02-26-2018, 12:12 PM)Helios Wrote: [ -> ]It's not our problem if other software can't figure out LetsEncrypt.
That, unfortunately, does nothing to help the user.
Quote:[color=#000000]In any case, I don't see a compelling reason to ditch 7zip.[/color]
As already stated previously: 1) You can't get it securely on Windows, and 2) It's annoying for the user to have to download third party software to unpack an archive. Perhaps that's not compelling to you. Ok, we disagree. That's fine.
Quote:[color=#000000]Uncompressed dolphin folder - 55mb
[/color]
[color=#000000]zip - 22.4mb[/color]
[color=#000000][color=#000000]LZMA (7z) - 12.6mb
[/color]Not to mention that zip is a mess of a format and LZMA/7z is actually both performant and reasonably clean of a format.[/color]
I'm not sure why the user would care whether the download is 12MB or 22MB, and I'm sure they don't care whether the compressed file is a "good" format or a "bad" format.
How about adding a zip archive along-side the 7zip one? If users want to save 12MB of download bandwidth then they can go for 7zip, while folks preferring to use the Windows platform's built-in decompression can use the zip.
Meanwhile, I guess we should go harass 7zip and WinZIP to fix their websites :-)
(02-26-2018, 12:24 PM)danielsank Wrote: [ -> ]Meanwhile, I guess we should go harass 7zip and WinZIP to fix their websites :-)
You might get further than trying to harass emulator developers that like to have small downloads.
Anyways, most of our users don't care about http downloads of 7zip. You're actually the first complaint. Combine that with the significant bandwidth savings, you're not making a convincing argument.
Also, if you click through 7zip's site a bit, you can get to their sourceforge (lol SF) where they host the code and https downloads of the 7zip installer for Windows.