[tor-talk] automatic Tor browser updates
Mirimir
mirimir at riseup.net
Sun Feb 14 10:44:41 UTC 2016
On 02/14/2016 01:16 AM, Ken Cline wrote:
>
>> On 13 Feb 2016, at 10:33 PM, Mirimir <mirimir at riseup.net> wrote:
>>
>> I can't say that I trust the MAR update protocol as much as
>> checking GPG signatures.
>
> In practice, the OpenPGP format used by GPG is unsatisfactory for
> automatic software updates. GPG does not provide a library for
> creating or reading this format, so you'd have to run the signature
> checking in a child process, along with gpg-agent, intrusive keyring
> management, and quirky behavior across operating systems. More
> trouble than it is worth!
Well, apt seems to handle GnuPG signatures quite transparently. But yes,
then there are Windows and iOS.
<SNIP>
More information about the tor-talk
mailing list