[tor-bugs] #8542 [GetTor]: More options on how to get the bundles
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 14 03:57:00 UTC 2013
#8542: More options on how to get the bundles
-------------------------+--------------------------------------------------
Reporter: mrphs | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: GetTor | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by arma):
For posterity, here's my mail from April 19:
{{{
In my opinion (just in case we need even more ;), gettor should either
send you the thing you wanted as an attachment, or it should send you
a pile of little things to help you get what you wanted. Those little
things could include:
- One or more URLs, some preferably https, for where you can download
the thing.
- A sha1 of the thing, plus instructions on how to compare the sha1 with
the thing once you've fetched it.
- A PGP signature on the thing, for those hardcore people for whom a
sha1 isn't enough.
- A bittorrent file to help you fetch the thing -- extra points that
it's self-authenticating assuming you got the right bittorrent file.
- Whatever other tricks we can come up with. The more the merrier, so
long as our instructions text doesn't get too complex.
I think sending people the sha1, then having them fetch the file from
$wherever, is very powerful. It's not as good, in theory, as giving them
a gpg signature -- but let's remember that our "verifying the signature"
instructions on Windows start with "first, fetch gpg.exe from this
http url".
I share Andrew's hesitancy over trusting third parties, but to a large
extent we were already doing that with the gmail approach.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8542#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list