[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] TBB Gentoo ebuild

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] TBB Gentoo ebuild
From: Mansour Moufid <mansourmoufid@xxxxxxxxx>
Date: Sun, 12 Aug 2012 16:56:23 -0400
Cc: poncho@xxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 12 Aug 2012 16:55:46 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=/jls7jjuxRSwSXvP6H4Hks2+XCL/fqngaHMeBASv9jg=; b=RrLnsE8TLwwqnXZLHnjA+YR9M81/swLInmvpAgow9h3v6UMtM7xX0d0701XMMj2SSd PWEePpKrLgdzmWLr09psJzQxbFP6BnUiEqXtfwQy3PDGyGnKnsbzJY3uXl4uoAc5CWH4 sOp33tQ8yQq0huuCciUig3wgMDJ6rOfqarEjMsoL47BHgzJiW6YlGEuXUNp+GXW9Dhfx nVJTWNY43Sl3Tar3H19zaKbtXNyXbi8HJlNo4JX5MeWh+aMR7ZQDMHlc8vvV5l1IjTPI i6+/rR+cDwdPc6xynSeUCmLGnPufl50MkXPdLqxOe+AaZkK84UU2ILqnGoSDR1rjyjXY SgcA==
In-reply-to: <cnEUYMB3a69NiBKRogPNT9rEqeLTrmNaR5rfl-VsT9j9uZo-m9w1UVwptz3YFVOPmJskm25eOCAHxsD0yhUHqw@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <iZ4ypQvbZcy06oMaqXrNUzbaqsiPRznEDATkMu_VDfcJKvYUNjHCpCUuycKnWiaWgshci8qkmWnRh-ZvaqU6Kw@xxxxxxxxxxxxxxxxxxxxx> <4E0B21C5-441E-4F38-9CAF-617C08FB6E15@xxxxxxxxx> <cnEUYMB3a69NiBKRogPNT9rEqeLTrmNaR5rfl-VsT9j9uZo-m9w1UVwptz3YFVOPmJskm25eOCAHxsD0yhUHqw@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On 2012-08-12, at 3:36 PM, Alessandro Di Federico wrote:

> On Sun, 2012-08-12 at 15:11 -0400, Mansour Moufid wrote:
>> Portage offers no authentication and no confidentiality.
> 
> Each file has a SHA-256, SHA-512 and Whirlpool hash associated. This
> hashes are in Portage, and if you're a security-aware user (as most of
> Gentoo users are) you can get it in a secure way, which means
> PGP-signed.
> 
> Take a look at the handbook:
> http://www.gentoo.org/doc/en/handbook/2008.0/handbook-x86.xml?part=2&chap=3#doc_chap6

Portage uses rsync to get the ebuild and Manifest (signed hashes) from
mirrors, which, along with anyone in between, can send you bogus ebuilds
with whatever Manifest.

Even with webrsync you still have to trust the mirror(s), and then the
Gentoo release infrastructure...

Getting TBB from tp.o with Chrome is end-to-end and secure.

Anyway, good luck.

Mansour

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] TBB Gentoo ebuild
  - From: Alessandro Di Federico
- Re: [tor-dev] TBB Gentoo ebuild
  - From: Mansour Moufid
- Re: [tor-dev] TBB Gentoo ebuild
  - From: Alessandro Di Federico

Prev by Author: Re: [tor-dev] TBB Gentoo ebuild
Next by Author: Re: [tor-dev] TBB Gentoo ebuild
Previous by thread: Re: [tor-dev] TBB Gentoo ebuild
Next by thread: Re: [tor-dev] TBB Gentoo ebuild
Index(es):
- Author
- Thread