[tor-dev] Using a Tap for Tor's Homebrew recipe to increase confidence in source code authenticity

Mark Rushakoff mark.rushakoff at gmail.com
Tue Aug 5 05:44:18 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I noticed that in the instructions for using Homebrew to install Tor
on OSX, the instructions say:

> As with any application, you should make sure it came unmodified from the orginal source. Unfortunately, Homebrew does not come with integrated verification for downloads, and anyone could submit a modified Tor!

If you use a [Brew
Tap](https://github.com/Homebrew/homebrew/wiki/brew-tap), you can have
a separate repository (which must be on Github) to track the Tor
formula. I believe that if the Tor Project owns that repository, there
should be higher confidence that a user installing Tor with Homebrew
is installing the intended source code, so long as the user runs `brew
install TheTorProject/tor/tor` (instead of just `brew install tor`,
which will use the formula in the main Homebrew repo).

If this sounds like something the devs desire, I have a tap repository
ready to go at https://github.com/mark-rushakoff/homebrew-tor.  It
includes the tor.rb formula from Homebrew, including its full history.
If you fork it to the Tor project (or perhaps Github offers a way for
me to transfer ownership), then only someone affiliated with Tor will
be able to approve changes to where Homebrew retrieves source code to
build Tor.

The only extra work in adopting this solution would be finding a way
to "deprecate" or redirect the main recipe under Homebrew. I'm not
familiar enough with Homebrew to provide direction on that topic,
unfortunately.

Mark Rushakoff
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v0.6.1-dev
Comment: http://openpgpjs.org

wsBcBAEBCAAQBQJT4G8NCRDqKXFAudXBCAAAcKYIAJwa99tJQOHxvzn1DyDW
DZD+ktBrAg0pZ4FEE58+n2KiH1hzeHGuhLh4mLlsD30CGlDqtjmYKiU7VR/P
g9jsQTawqmACI5KQkMkOMkdBKsjKfNwCaLxA7mdSoCHsRcmSKhQH++rg1Bli
JiQrHgi9DihNrUku2/Km7leiurBrKED1KK2KAJ9mKnVMF2iRjcV//VQ9Nbtp
WJp92mydyTnBEGYQPrt6M57WZjYvrkvYV1/eHYZpulrGcPAcXzDYnHgRhRPL
9bolbQhwyPWU6gvEdLC/+NAlCpN1Lfd/RFCyhksgVr6RT8GJFSdpjg1UVkw4
U/63nEVJR8cF0boBtUWQReQ=
=baFT
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140804/408b8c37/attachment.html>


More information about the tor-dev mailing list