[tor-dev] Why not use The Update Framework? (TUF)

adrelanos adrelanos at riseup.net
Mon Aug 5 19:05:47 UTC 2013


> For TBB 3.0, we should use the Firefox updater. We should audit the
Firefox updater for issues, and triage which of Thandy's features we
should merge to it. (For example, we might want to sign the metadata
file if it isn't signed; timestamp it if it isn't timestamped, add
multiple-signature support, and so on.) [1]

That sounds like reinventing the wheel.

> Thandy was a good research platform, not a long-term piece of software
we want to support. [1]

Why not use its predecessor, TUF? [2] [3]

TUF is written in python, and after all those years, TUF developers are
still maintaining it and actively developing it. I think in future TUF
will become a mature and widespread solution. Also work is being done to
let pip (the python library installer) internally use TUF. So it can't
be so bad after all?

If you have discussed this and reasons for rejecting, fine. Just wanted
to throw it in, because I think basing this feature on another active
project (TUF) works better than reinventing the wheel.

[1] Commenting on:
https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/BundleUpdatePlan
[2] https://www.updateframework.com/
[3] https://github.com/theupdateframework/tuf


More information about the tor-dev mailing list