I cannot find any evidence of the integrity of this file being verified before it is installed as root. Users are threfore vulnerable to:
- MITM at ANY hop between their host and sourceforge
Compromise of sourceforge
We have to trust the maintainer of the Linux verison of Palemoon, as well as the Palemoon maintainer, as well as the maintainers of the packages used in compilation. We should not have to additionally trust sourceforge and arbitrary Internet nodes.
Can this lack of verification of the integrity of the file before installing it as _root_ be assigned as a bug?