active-trader-pro 1.0.55 (unversioned pkg)

[karimbenbourenane]

Fidelity has changed the URL for Active Trader Pro to be an unversioned link, and at the same time has switched from using a zip archive to using a pkg installer.

Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process.

In the following questions <cask> is the token of the cask you're submitting.

After making any changes to a cask, existing or new, verify:

• The submission is for a stable version or documented exception.
• brew audit --cask --online <cask> is error-free.
• brew style --fix <cask> reports no offenses.

Additionally, if adding a new cask:

• Named the cask according to the token reference.
• Checked the cask was not already refused.
• Checked the cask is submitted to the correct repo.
• brew audit --cask --new <cask> worked successfully.
• HOMEBREW_NO_INSTALL_FROM_API=1 brew install --cask <cask> worked successfully.
• brew uninstall --cask <cask> worked successfully.

---

[krehel]

Is there an issue with the URL provided in the Sparkle feed, which is versioned and still a zip? The application contained in the unversioned pkg file is the same version.

https://www.fidelity.com/webcontent/Codeweaver/activetrader-1.0.55.zip

[karimbenbourenane]

The version number is the same, but they are two different things. The app contained in the old resource path does not work on Apple Silicon running MacOS 14.4 (that's what I'm running, and is all I can personally test right now). The application produces an error window at runtime that asks the user to install the latest version at the new URL.

Also, the "old" 1.0.55 is zip archive containing only the application itself, while the "new" version of 1.0.55 is a pkg installer. It appears they've made changes without bumping the version number and released a fundamentally different version of the software using the same version number as before.

[karimbenbourenane]

You're right that the old archive does work, it seems that this was just a problem on my machine. I'm rescinding this merge request.

[krehel]

No worries @karimbenbourenane - thanks for looking into it a bit more. I got tied up today. Please feel free to reopen if your findings change and we do need an update.

FWIW, the additional scrutiny comes from reducing security by removing the sha256, and I couldn't find a lot of difference between the app in the zip or the app in the pkg. We try to poke these around a bit more.

Cheers

[karimbenbourenane]

@krehel thanks for your review despite this being an unnecessary change. I also was not pleased with the need to change the sha256 check but it appears that Fidelity is now linking directly to an unversioned package. Thankfully their old archive still exists and is still reachable, but if that changes in the future I'll evaluate and make changes as needed. Thanks again!