[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5236 [Tor bundles/installation]: Make a deb of the Torbrowser and add to repository



#5236: Make a deb of the Torbrowser and add to repository
--------------------------------------+-------------------------------------
 Reporter:  cypherpunks               |          Owner:                   
     Type:  enhancement               |         Status:  needs_information
 Priority:  normal                    |      Milestone:                   
Component:  Tor bundles/installation  |        Version:                   
 Keywords:                            |         Parent:                   
   Points:                            |   Actualpoints:                   
--------------------------------------+-------------------------------------

Comment(by proper):

 > Would you be into helping incorporate all of that into Tor Browser
 Launcher and make it more generic to work on any deb-based distro?

 I make it work on Debian and I think a test on Ubuntu will show that it
 works as well. Don't know about other distros.

 We need some design decision...

 gpg:

 a) Ship the gpg keys with the deb package and the packager keeps the keys
 updated? Or,
 b) hardcode the gpg fingerprints and download it from the keyserver?
 c) somehow magically phrase the tpo verification page

 I think b) and c) are just more likely to break.

 a) and b) are equally secure. - The maintainer can hardcode a legit key or
 a legit fingerprint.

 I prefer a), because if a keyserver is offline this causes lots of support
 requests or it would have to fallback to other keyservers from the pool.
 Does Debian policy allow to ship the public keys with the package?

 A clean solution would be:
 #5606: "deb package with all torproject.org signing pgp keys" - but that
 requires help from tpo.

 ...or the TBB bundles get signed with the tpo archive signing keys instead
 of the individual account holders.

 Dependencies:

 What should the script depend on? Is curl fine? I like curl because it can
 enforce https with TLS. Is a dependency on bash ok with Debian policy? I'd
 hate caring about sh compatibility.

 Download through Tor:

 Download through Tor or clearnet? Download through Tor to allow obfsproxy
 (or similar) users to hide that they are using Tor? Download through Tor
 is a bit difficult so or so, since it would require Tor to be installed
 and another instance of Tor comes with the TBB package. Downloading Tor
 with apt-get wouldn't hide Tor anyway. I think it probable should download
 through clearnet unless someone has a better idea.

 Debian policy:

 Debian is against code duplication... So the script itself wouldn't be a
 code duplication, but the result download would result in duplicate code
 for Firefox and Tor. I personally find this policy odd and there should be
 exceptions.

 Progress bar:

 The script already has a zentiy progress bar, which generally works well.
 Unfortunately it stops at 50% because I didn't manage to phrase the curl
 progress bar to output usable by zenity. Can you help out here?

 Once this is decided I could remove the Whonix specific parts. Shouldn't
 take long.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5236#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs