[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] TUF Repository for Tor Browser



In light of the technical obstacles that prevent packaging Tor Browser (see below), I propose operating a repository that relies on The Update Framework (TUF) [0]. TUF is a secure updater system designed to resist many classes of attacks [1]. Its based on Thandy (the work of Roger, Nick, Sebastian and others).

The advantage of this proposal is that (Tor based distros and others in general) can finally retire the TBB downloaders and shed the maintenance burden. Also there is no need to re-invent secure download mechanisms when there is a project that already covers this.

***

Rehash of previous discussions on the topic:

The major reasons why TBB is not in the Debian repository:

* The reproducible build system depends on a static binary image of (then Ubuntu) which runs counter to Debian policy.

* TBB is based on Firefox ESR and not Iceweasel which also runs into the "no duplicate source package" policy of Debian.


Reasons for unavailability of TBB .deb in the Tor Project APT repository:

* The break neck speed of development

* Its not easily packaged and the amount of effort needed is better spent otherwise.



***

[0] https://theupdateframework.github.io/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev