[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Comments on Yawning's Draft proposal for Debian

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] Comments on Yawning's Draft proposal for Debian
From: bancfc@xxxxxxxxxxxxxxx
Date: Sun, 12 Jun 2016 16:41:57 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 12 Jun 2016 10:42:18 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1465742522; bh=xej/VTCVK8YorxVjEGPvJEcPgKtl6UlC9gob6yabEHw=; h=Date:From:To:Subject:From; b=BmW4wE8ohhFoOcM9eZI4U9obb3m5jFsafqWTK5Y2MD3/FLw7S9xD3q2BfGsDxSDlJ mTO3wN69jBGyXrSPe9A9N4TMgbsQw8yvcJS5Sw+orTscvXQaf3LrN1bAen7KiY8o9t Hl5WQapZkc2HVdnce2T8yx2OP/9fbddE9T/82Bpc=
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.0.6

I thought the proposal [1] is well written but there is one major pointit should include:

Sometimes apt/dpkg can contain remotely exploitable bugs which s a bigrisk when updates are fetched over HTTP. As it happens, anyone couldhave been in a position to poison the update process and take over themachine because of [CVE-2014-6273] in apt-get [2]. What makesthis bug crippling is that updating apt to fix it would have exposed itto what the fix was supposed to prevent. The safest option this time wasto manually download the fixed package out of band. Updating from anOnion Service would protect systems from any tampering/attacks at theExits while bringing all the usual benefits of package metadata privacy.

***

While there's been some progress to setup Debian APT Onion Services[3][4], its still a long way away from being enabled as a safe default.This problem along many others summarized in the Debian wiki [5] (suchas upstream patching of chatty apps that leak system information likepip [6]) would make great talking points at the next DebConf.




[1] https://yawnbox.com/index.php/2016/05/03/draft-proposal-for-debian/
[2] http://security-tracker.debian.org/tracker/CVE-2014-6273

[3]http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/[4]http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/

[5] https://wiki.debian.org/TorifyDebianServices
[6] https://lists.debian.org/debian-security/2016/05/msg00059.html


_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] TUF Repository for Tor Browser
Next by Author: Re: [tor-dev] TUF Repository for Tor Browser
Previous by thread: [tor-dev] remotor - control console that can also notify into a chatroom
Next by thread: [tor-dev] Error while building
Index(es):
- Author
- Thread