When I opened Limewire Pro on two of my machines there was an alert at the bottom of my Limewire Screen telling me an update was available. I hit the alert, found the update, downloaded to Save, exited Limewire and installed the update. Nice, neat and clean.........no problems.........the advantage to having a fully functional and properly configured computer......Yes that is a poke at the others who blame LimeWire for their problems. LimeWire Update worked for me.

I have had it turned on since I noticed it beta checked I believe 4.5 but have never resieved a notifcation of updates

We haven't notified for 4.9.7 because we found some bugs with the update mechanism in 4.9.4 and 4.9.5.

The version.xml file that gets downloaded on startup or when it is discovered on the network is cryptographically signed with the LimeWire private key. It is only valid if this encrypted signature matches after decrypting it using the LimeWire public key.

So don't worry from where that XML file comes from. If it validates, then it was created by LimeWire LLC itself, and nobody else, not even any LimeWire open source developers). The LimeWire will not display such update notice from any version XML file with the wrong signature, and will discard it if you attempt to modify it). See it like emails you receive from anywhere but that for which you can trust its origin as it contains a cryptographic signature.

LimeWire has not, and will not reveal its own encryption private key needed to create or update that file. A non-LimeWire release created from the open sources would likely discard the Limewire notice or would embed the public key of the creator of that alternate release, instead of the LimeWire LCC public key, so that this alternate version can distribute its own version.xml file.

(Note that version.xml is not purely a XML file: it just appears to have an XML content, but is followed by the cryptographic signature.)

This security is based on the fact that if you can trust Limewire LLC to distribute the genuine version of Limewire that you are using, then you could trust Limewire LLC's signature used for its updates.

The same technic is used in general by all software distributors as well (the public key is generally encapsulated within a public certificate, stored and validable in a trustable PKI provider, which acts as the escrow for attesting that the author's identity shown in the certificate has been verified and is not patently false; this PKI can also provide information about the status of a certificate, for example if it has been compromized, and can tell you if the certificate is still valid, or if it has been invalidated by its original author).

Limewire can embed one or more public keys in each release: older ones (if they have not been compromized), and the most recent one. These public keys allow accepting update messages for all future versions that will be advertized and created using the corresponding private keys.

If someone does not upgrade immediately, and several major versions have been released, may be sometime in the future, none of its embedded public key will match the update messages for these future versions, if they are not created using one of the private keys corresponding to the public keys embedded in an old distribution used by some user.

It will take years before this happens, unless a private key has been compromized:
* For example if the LimeWire LLC private key appears to have been stolen by someone to create a volontarily broken version of Limewire, something that has still never happened,
* or if the cryptographically strong signature algorithm gets broken

Limewire uses a signature based on the wellknown irreversible SHA-1 cryptographic digest algorithm, which is still still safe for now; Limewire could switch at any time to a even stronger algorithm such as SHA-256 or SHA-512 which is supported now natively in Java 1.4.1+. Would the strength of this digest be ever compromized, the whole planet would be largely informed because this encryption algorithm is constantly monitored by lots of security companies. Breaking this digest algorithm is still a very challenging and difficult problem worldwide, needing lots of costly resources.

When this will occur, LimeWire would immediately change its signature, and would inform users on its web site that new update notifications will use a new key, and won't be delivered to users of old versions, that will have to update manually. No one can predict when such event will ever occur (those that would attempt to break the encryption algorithm would likely use their discovery fro more "profitable" criminal actions than just building a P2P servent, which can be freely downloaded from a wellknown source; if this ever happened, this forum would be filled with warning notices about fake and viral Limewire versions).

These considerations are true for any software that embeds a internet update system, including Microsoft Update, antivirus updates, Java auto updates, and so on...

__________________
LimeWire is international. Help translate LimeWire to your own language.
Visit: http://www.limewire.org/translate.shtml