v2.4.4
v2.4.4
OpenSSF Scorecard hygiene release. No behavior changes — plugin DLL byte-identical to v2.4.3 except for the version number. In-place upgrade is harmless.
License classification fix
GitHub's license classifier expects the canonical MIT text in LICENSE without modifications. The previous file appended "Third-party components" and "Summary" sections, which tripped the auto-detect and showed up as Warn: project license file does not contain an FSF or OSI license on Scorecard.
LICENSE now contains only canonical MIT. Everything that used to live below the legal text moved to a new top-level THIRD-PARTY.md — same content, more discoverable, and the classifier sees a clean license file.
Pinned Docker base image
.clusterfuzzlite/Dockerfile referenced gcr.io/oss-fuzz-base/base-builder-csharp, which is referenced in ClusterFuzzLite's csharp docs but is not actually published to gcr.io and is not in the OSS-Fuzz upstream infra/base-images/ tree. Swapped to the generic gcr.io/oss-fuzz-base/base-builder (which exists) pinned by SHA256. This fixes Scorecard's Pinned-Dependencies finding without changing anything that runs (the CFLite C# GitHub Action wrapper still doesn't accept language: csharp, so the harness still only runs locally for now).
Provenance now attached to release assets
actions/attest-build-provenance writes the SLSA attestation to GitHub's attestation registry (queryable via gh attestation verify). Scorecard's Signed-Releases check, however, inspects release assets directly and looks for files ending in .intoto.jsonl. The release workflow now also copies the attestation bundle into dist/ and uploads it as a release asset, so Scorecard sees provenance on the same page it sees the zip.
What downstream users see
- A new
Jellyfin.Plugin.TwoFactorAuthv2.4.4.0.zip.intoto.jsonlfile on the GitHub Release page next to the existing.zip,.md5,.sha256,.sig,.pem. - LICENSE now reads more cleanly; legal terms unchanged.
- Everything else identical to v2.4.3.
Upgrade
In-place. No config or behavior changes; the plugin .dll inside the zip is functionally the same.
Package checksums
- MD5: see
Jellyfin.Plugin.TwoFactorAuthv2.4.4.0.md5 - SHA256: see
Jellyfin.Plugin.TwoFactorAuthv2.4.4.0.sha256
Sigstore-signed + SLSA-attested. Verify with cosign verify-blob or gh attestation verify.