[tor-dev] TUF Repository for Tor Browser
bancfc at openmailbox.org
bancfc at openmailbox.org
Fri Jun 10 14:22:04 UTC 2016
In light of the technical obstacles that prevent packaging Tor Browser
(see below), I propose operating a repository that relies on The Update
Framework (TUF) [0]. TUF is a secure updater system designed to resist
many classes of attacks [1]. Its based on Thandy (the work of Roger,
Nick, Sebastian and others).
The advantage of this proposal is that (Tor based distros and others in
general) can finally retire the TBB downloaders and shed the maintenance
burden. Also there is no need to re-invent secure download mechanisms
when there is a project that already covers this.
***
Rehash of previous discussions on the topic:
The major reasons why TBB is not in the Debian repository:
* The reproducible build system depends on a static binary image of
(then Ubuntu) which runs counter to Debian policy.
* TBB is based on Firefox ESR and not Iceweasel which also runs into the
"no duplicate source package" policy of Debian.
Reasons for unavailability of TBB .deb in the Tor Project APT
repository:
* The break neck speed of development
* Its not easily packaged and the amount of effort needed is better
spent otherwise.
***
[0] https://theupdateframework.github.io/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
More information about the tor-dev
mailing list