[tor-bugs] #10395 [Tor]: Tor's consensus lists Torbrowser updates
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 29 14:44:30 UTC 2015
#10395: Tor's consensus lists Torbrowser updates
-------------------------+-------------------------------------------------
Reporter: | Owner: mikeperry
StrangeCharm | Status: needs_review
Type: | Milestone: Tor: 0.2.6.x-final
enhancement | Version:
Priority: major | Keywords: pantheon chronos prop227 nickm-
Component: Tor | patch
Resolution: | Parent ID: #10393
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
Replying to [comment:15 mcs]:
> Kathy and also want to raise some Prop 227 issues that are specific to
Tor Browser's intended usage (for Mike and GK to ponder):
>
> - The proposal mentions a "proposed update timestamp" which is checked
against the consensus timestamp. Where will that timestamp come from? It
seems like it will need to be a field within the JSON document that the
consensus points to, but if so, the steps described are slightly out of
order (the JSON file would need to be downloaded and its hash verified
against the consensus before the timestamp could be retrieved and
checked).
Good question. Even after re-reading section 3.1 a couple of times it is
still not easy to extract all the necessary things. I think we need to
rethink/clarify that section at least partly (for instance, that the Tor
Browser is dowloading the JSON file again and is using that one (How does
it e.g. know it got the one the Tor client downloaded earlier to check
whether the hash is correct?) seems a bit weird. At least the hash should
be checked again. Probably the JSON file should get downloaded only once
anyway...). But as far as I can see there are no additional tor things
needed.
> - If we do not include an OS/platform name in the consensus package
names, then we will always need to release Tor Browser for all platforms
at the same time. This might be OK, but it is worth thinking about
whether we want to use one package name (e.g., tbb-stable or maybe just
tb-stable) or 3 package names (e.g., tb-stable-linux, tb-stable-win, tb-
stable-mac).
This is a good point. I am leaning to Nick's idea to even include the full
OS/platform portion. IIRC in the past we had at least one occasion where
we shipped only new bundles for 64 bit Linux. That was related to a
compiler bug: #10195. If we think that's too much overhead then at least
the OS should get added. We may want to add a Tor Browser for Android one
day and I can imagine that these bundles are different enough that we (at
least in the beginning) have to release bugfixes much more frequent than
for Linux/Mac/Windows bundles.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10395#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list