[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] TUF Repository for Tor Browser

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] TUF Repository for Tor Browser
From: bancfc@xxxxxxxxxxxxxxx
Date: Fri, 10 Jun 2016 16:22:04 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 10 Jun 2016 10:23:48 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1465568603; bh=jD+kS0EjEwC0QzNrPmMLiw52H1aKdOOQO2bPgSdkv1Y=; h=Date:From:To:Subject:From; b=I3s9xlfG+3ba9Dr+J4NxDLOS4aFRABxntQ1rk4Jp7U/8RfCm93D8htzUWi2GiQyTy JJE74WzaPvs3IJeeC6C8L7GnGqtGYJ8zxK/OT3xnxDy4NqYfv+LBu7fOqWz3RpOdsV /IFvHuF/d6e2WEZQSNv5R+Bvw2iQBJs0+jD16i+o=
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.0.6

In light of the technical obstacles that prevent packaging Tor Browser(see below), I propose operating a repository that relies on The UpdateFramework (TUF) [0]. TUF is a secure updater system designed to resistmany classes of attacks [1]. Its based on Thandy (the work of Roger,Nick, Sebastian and others).

The advantage of this proposal is that (Tor based distros and others ingeneral) can finally retire the TBB downloaders and shed the maintenanceburden. Also there is no need to re-invent secure download mechanismswhen there is a project that already covers this.


***

Rehash of previous discussions on the topic:

The major reasons why TBB is not in the Debian repository:

* The reproducible build system depends on a static binary image of(then Ubuntu) which runs counter to Debian policy.

* TBB is based on Firefox ESR and not Iceweasel which also runs into the"no duplicate source package" policy of Debian.

Reasons for unavailability of TBB .deb in the Tor Project APTrepository:


* The break neck speed of development

* Its not easily packaged and the amount of effort needed is betterspent otherwise.




***

[0] https://theupdateframework.github.io/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] TUF Repository for Tor Browser
  - From: carlo von lynX
- Re: [tor-dev] TUF Repository for Tor Browser
  - From: Lunar

Prev by Author: [tor-dev] Paper: SoK: Towards Grounding Censorship Circumvention in Empiricism
Next by Author: Re: [tor-dev] TUF Repository for Tor Browser
Previous by thread: Re: [tor-dev] Bridge Directory Consensus
Next by thread: Re: [tor-dev] TUF Repository for Tor Browser
Index(es):
- Author
- Thread