[tor-dev] Tor Browser Launcher
Jacob Appelbaum
jacob at appelbaum.net
Mon Feb 18 16:49:56 UTC 2013
adrelanos:
> Jacob Appelbaum:
>> Do you plan to download TBB over Tor that is provided by the system, say
>> by adding a dependency on a system Tor?
>
> There has been a bit discussion about this in
> https://trac.torproject.org/projects/tor/ticket/5236 already. (Search
> for "over Tor" to quickly navigate it it.)
>
I've seen the ticket.
> I think downloading over Tor is desirable, but very difficult to implement.
>
It is as easy as adding a `depends: tor` line to the debian/control
file. In modern Debian or recent Ubuntus, it is fine.
> What about bridge users? They have to edit a system wide torrc and the
> TBB torrc?
>
You're over thinking it. Connecting to the Tor Project website often
fails - far more than the Tor network being blocked.
> What about users who don't want to ever connect to the public Tor
> network? -> https://trac.torproject.org/projects/tor/ticket/7197
>
Such users have a valid concern but I hardly think that this package is
for such users - as it stands right now, that problem is made worse by
both connecting to Tor's website *and* the public network.
>> A MITM may be able
>> to replay an old valid signature for a package, does your code handle
>> that case?
>
> I am not Micah, but I don't know how he could. I think the Tor Project
> would have to finish Thandy for that purpose.
>
It is easy - never allow a valid signature with a lesser version number.
>> You may enjoy the paper and code on theupdateframework.com to
>> look into those kinds of issues...
>
> Yes, it's really good.
>
> They also gave me a link to https://github.com/akonst/tuf (see docs folder).
Neat.
All the best,
Jacob
More information about the tor-dev
mailing list