[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #28682 [Core Tor]: Carml lacks PGP singatures and instructions for secure installation
#28682: Carml lacks PGP singatures and instructions for secure installation
--------------------+--------------------------
Reporter: wagon | Owner: meejah
Type: defect | Status: assigned
Priority: Medium | Component: Core Tor
Version: | Severity: Normal
Keywords: carml | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------+--------------------------
Meejah's carml isn't listed as officially supported by Tor Project, but
meejah is somehow listed among Tor people and carml itself is officially
[[https://blog.torproject.org/exploring-tor-carml|advertised]] in Tor
blog. So, I suppose this ticket can be accepted here.
== Problem 1: no signatures
Correct me if I'm wrong. There are no PGP signatures of
[[https://github.com/meejah/carml/releases|carml releases]] anywhere at
[[https://carml.readthedocs.io/en/latest/releases.html|project pages]]
(however, txtorcon library is signed).
== Problem 2: no python3 docs
[[https://carml.readthedocs.io/en/latest/installation.html|Documentation
on installation]] is written for python2 instead of python3. However,
support of python3 is claimed. In particular, there is no `virtualenv`
command for python3, as `pyvenv` [[https://askubuntu.com/questions/279959
/how-to-create-a-virtualenv-with-python3-3-in-ubuntu|is used]] instead.
== Problem 3: no secure installation of carml dependencies
`pip install <projectname>` with automatic download of all dependencies
from repository, as recommended in documentation, should never be used in
secure environments, because packages in this repository are not signed
(even if they are signed, their signatures are not checked by default).
Actually, some dependencies (probably, old versions) can be installed as
standard Debian packages, but `pip` will not be able to see them by
default (especially in `pyvenv` environment). There is only one way to
install it securely:
1. Download carml bunndle and its signature.
2. Download bundles for **all** carml dependencies and their signatures.
3. Verify signatures of all downloaded bundles manually (don't ask me what
to do if somebody release his code without signatures).
4. Disconnect from network.
5. Install carml and its dependencies as `pip install /path/to/local-
bundle`
6. Create some symlinks, so carml can find all dependencies it needs.
This is what I expect to see in documentation. For instance, for Nyx it
was done
[[https://trac.torproject.org/projects/tor/ticket/28332#comment:7|exactly
so]] (but it has only one dependence, Stem):
1. Download Nyx, its signature, and verify it.
2. Download Stem, its signature, and verify it.
3. Install Stem, install Nyx, create necessary symlink.
As a workaround I'ld suggest to put all necessary dependencies in signed
carml bundle, so users will not suffer during assembling of this
constructor.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28682>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs