[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5236 [Tor bundles/installation]: Make a deb of the Torbrowser and add to repository



#5236: Make a deb of the Torbrowser and add to repository
--------------------------------------+-------------------------------------
 Reporter:  cypherpunks               |          Owner:                   
     Type:  enhancement               |         Status:  needs_information
 Priority:  normal                    |      Milestone:                   
Component:  Tor bundles/installation  |        Version:                   
 Keywords:                            |         Parent:                   
   Points:                            |   Actualpoints:                   
--------------------------------------+-------------------------------------

Comment(by micahlee):

 I have a working (and pretty polished) first version of Tor Browser
 Launcher. The code is all here: https://github.com/micahflee/torbrowser-
 launcher

 Here are screenshots, and descriptions of each step:
 http://imgur.com/a/Mvpwl

 Here's how it works:

 ~/.torbrowser/download/ -- where TBB .tar.gz and their signatures get
 downloaded to
 ~/.torbrowser/gpgtmp/ -- a directory to temporarily use to verify TBB
 signatures
 ~/.torbrowser/tbb/ARCHITECTURE/tor-browser_LANGUAGE/ -- where TBB gets
 extracted to

 When you run, if TBB isn't installed it downloads the .tar.gz and the
 .tar.gz.asc and verifies the signature. If the signature is good, it
 extracts and then runs. If the signature is bad, it displays an error with
 the option to re-download.

 If TBB is installed, it just runs it.

 If TBB is out of date, it pops up an interface to download the update,
 then verifies it, extracts it, and runs it. It extracts it over the old
 TBB directory, so bookmarks get preserved.

 Getting TBB by apt-get installing torbrowser-launcher will be a more
 secure way of install TBB also, since it verifies the signature. My guess
 is barely anyone manually verifies the signature.

 I think this could get accepted into Debian.

 Right now, Tor Browser Launcher knows what version the current version is
 because it's hard-coded in the source code. That means each time a new
 version comes up, I'll need to update Tor Browser Launcher with the new
 current version, and there will be a gap between the time that TBB gets
 released and the updated package lands in Debian. That isn't good.

 I have an idea for how to fix it, but it will require the TBB maintainers
 to update a file at torproject.org that states the current version and
 maybe a timestamp. It could be something like
 https://www.torproject.org/download/current_version, and possibly also a
 signature of that file.

 If this could happen, then Tor Browser Launcher wouldn't need constant
 maintenance. It could just check for the current version each time it
 starts. Of course, the request that checks for the current version
 wouldn't go over Tor.

 But if there were a consistent way to check for the current version it
 would be possible to actually download updates over Tor without requiring
 an extra tor dependency. I could write a Tor Browser Launcher Firefox
 extension. After extracting the tarball, I can install the extension into
 the Firefox profile. All it will do is, as soon as you launch TBB, check
 to see if there are updates available (over Tor). If there are, it can
 popup an update dialog. Then, this extension can download the new .tar.gz
 and .tar.gz.asc files, put them in ~/.torbrowser/download, and then ask
 you to restart. After restarting, the launcher could verify the signature,
 extract, and run the new version.

 Do you think this current version file is something Tor Project could
 maintain?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5236#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs