[tor-dev] Are we planning to use the "package" mechanism?

Tom Ritter tom at ritter.vg
Mon Jun 19 15:21:53 UTC 2017


On 16 June 2017 at 13:15, Roger Dingledine <arma at mit.edu> wrote:
> On Fri, Jun 16, 2017 at 02:08:53PM -0400, Nick Mathewson wrote:
>> With proposal 227 in 0.2.6.3-alpha, we added a way for authorities to
>> vote on e.g. the latest versions of the torbrowser package.
>>
>> It appears we aren't actually using that, though.  Are we planning to
>> use it in the future?
>
> Last I checked, the authority operators were uncomfortable with the
> slippery slope of "everybody who has some sort of package sends us their
> filename and checksums", because then every Tor client and relay fetches
> that text every hour forever, and we could imagine that blob of text
> growing out of hand.
>
> That said, having the directory authorities vote about a checksum
> of a file, and that file contains all the things, and somebody else
> coordinates what goes in that file, how to handle name spaces in it,
> etc, sounds like it could be totally doable.
>
> That said, from the directory authority perspective, we would want to
> automate the process of voting about that file -- not have the authority
> operators manually check the file and change the sha256 every time
> somebody updates it.
>
> For example, we could wget the file and then put the checksum into our
> votes, thus giving some sort of primitive perspective-access-network
> style robustness.
>
> I don't know what this approach would do to the security assumptions
> from that proposal though.

This sounds like the right approach is a transparency log - the
authorities include a single hash; and it's the responsibility of all
interested packagers to put their submissions in the log...

-tom

On 16 June 2017 at 13:15, Roger Dingledine <arma at mit.edu> wrote:
> On Fri, Jun 16, 2017 at 02:08:53PM -0400, Nick Mathewson wrote:
>> With proposal 227 in 0.2.6.3-alpha, we added a way for authorities to
>> vote on e.g. the latest versions of the torbrowser package.
>>
>> It appears we aren't actually using that, though.  Are we planning to
>> use it in the future?
>
> Last I checked, the authority operators were uncomfortable with the
> slippery slope of "everybody who has some sort of package sends us their
> filename and checksums", because then every Tor client and relay fetches
> that text every hour forever, and we could imagine that blob of text
> growing out of hand.
>
> That said, having the directory authorities vote about a checksum
> of a file, and that file contains all the things, and somebody else
> coordinates what goes in that file, how to handle name spaces in it,
> etc, sounds like it could be totally doable.
>
> That said, from the directory authority perspective, we would want to
> automate the process of voting about that file -- not have the authority
> operators manually check the file and change the sha256 every time
> somebody updates it.
>
> For example, we could wget the file and then put the checksum into our
> votes, thus giving some sort of primitive perspective-access-network
> style robustness.
>
> I don't know what this approach would do to the security assumptions
> from that proposal though.
>
> --Roger
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


More information about the tor-dev mailing list