[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] TUF Repository for Tor Browser

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] TUF Repository for Tor Browser
From: Hans-Christoph Steiner <hans@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jun 2016 12:33:13 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jun 2016 06:33:36 -0400
In-reply-to: <86fuslov88.fsf@xxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Organization: Guardian Project
References: <dfb9dd347cc0ef1b5a8025176cc83291@xxxxxxxxxxxxxxx> <20160610160146.GA25569@xxxxxxxxxxxxx> <86fuslov88.fsf@xxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

meejah:
> carlo von lynX <lynX@xxxxxxxxxxxxxxxxxxxxxx> writes:
> 
>> The README sounds good, but it being implemented in python adds quite
>> a heavy additional dependency.
> 
> My understanding is that TUF is two things: a spec, and a reference
> implementation (in Python). I'm sure other implementations would be
> welcome -- and, e.g., Docker Notary is such an implementation (in Go) as
> I understand it.

I've read up on TUF for F-Droid.  Its a good discussion of the issues,
but the TUF software itself is only really applicable in a narrow range
of situations.  For example, its in Python, so that's a no-go for
Android or iOS, and somewhat difficult on Windows.

I've always treated TUF as a nice overview of the issues.  F-Droid has
long implemented most of it, and now we are implementing the remaining
key bits, and a couple of parts just seem like vastly too much effort in
the short or medium term, versus the actual risk.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] TUF Repository for Tor Browser
  - From: bancfc
- Re: [tor-dev] TUF Repository for Tor Browser
  - From: carlo von lynX
- Re: [tor-dev] TUF Repository for Tor Browser
  - From: meejah

Prev by Author: Re: [tor-dev] [GSoC 2016] Exitmap Improvements Project - Status Report #1
Next by Author: Re: [tor-dev] We need a new RPM maintainer
Previous by thread: Re: [tor-dev] TUF Repository for Tor Browser
Next by thread: Re: [tor-dev] TUF Repository for Tor Browser
Index(es):
- Author
- Thread