[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] RIP Tor



On Wed, 08 Jun 2016 11:41:14 +0000, CANNON NATHANIEL CIOTA wrote:
....
> Open source and compiling from source is best option. Hopefully there 
> are enough programmers that are able to interpret the source code 
> examining it. Although the source code may be good, most users do not 
> compile from source. Most users install pre-compiled binaries. If I was 
> an adversary I would have the source code clean and have a backdoor in 
> the pre-compiled binaries knowing most people do not compile from 
> source.

That's why tor is doing reproducible builds.

> Most people is all it takes for a sybil position in the network. 
> To mitigate such a thing, one good solution would be to replace 'apt-get 
> install tor'

I'd tend to trust debian to do their thing right, at least as much
as I trust my own verification of what I downloaded to build tor.

> with instructions of how to download, verify integrity, and 
> compile from source; in guides aimed at aspiring Tor node operators and 
> advanced users.

Data point: https://github.com/apk/buildery/blob/master/tor-build/build.sh
This is with building openssl, and has issues that the LD_LIBRARY_PATH
needs to be correct when starting it. Should perhaps throw a -Bstatic
in there.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk