[tor-talk] RIP Tor
Andreas Krey
a.krey at gmx.de
Wed Jun 8 12:13:47 UTC 2016
On Wed, 08 Jun 2016 11:41:14 +0000, CANNON NATHANIEL CIOTA wrote:
....
> Open source and compiling from source is best option. Hopefully there
> are enough programmers that are able to interpret the source code
> examining it. Although the source code may be good, most users do not
> compile from source. Most users install pre-compiled binaries. If I was
> an adversary I would have the source code clean and have a backdoor in
> the pre-compiled binaries knowing most people do not compile from
> source.
That's why tor is doing reproducible builds.
> Most people is all it takes for a sybil position in the network.
> To mitigate such a thing, one good solution would be to replace 'apt-get
> install tor'
I'd tend to trust debian to do their thing right, at least as much
as I trust my own verification of what I downloaded to build tor.
> with instructions of how to download, verify integrity, and
> compile from source; in guides aimed at aspiring Tor node operators and
> advanced users.
Data point: https://github.com/apk/buildery/blob/master/tor-build/build.sh
This is with building openssl, and has issues that the LD_LIBRARY_PATH
needs to be correct when starting it. Should perhaps throw a -Bstatic
in there.
Andreas
--
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
More information about the tor-talk
mailing list