[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torproject package repository



Hi Joe,

Joe Btfsplk:
Looking at https://www.torproject.org/docs/debian.html.en, it mentions
the repository deb http://deb.torproject.org/torproject.org
<DISTRIBUTION> main.
Where distribution is the code name of the distro.
Is the only package from this repo Tor itself and not Tor Browser? If
it does host Tor Browser, would the package also work for Mint 18.1
Serena?


Tor Browser is not hosted in the Tor Project's deb repositories because there are concerns that people would not update their browser when a new version is released - Tor Browser basically has automatic updates already (in that it puts a scary warning when you start it up and it detects that it is out of date) so the concern is that people don't refresh their Debian repository as often as would be necessary to get crucial updates to Tor Browser.

However, the Torproject repo is / was already entered under
"additional repositories" in my software manager and the signing key.
It must have been added by the distro, as I didn't know this
torproject repo existed.


For future reference, Mint is based on Ubuntu. Find out the corresponding version that Mint is basing on, and use the Tor Project's Deb repository for that (this is almost certainly how it has been configured). I don't know what Mint's policy is but I'd be very surprised if this was default. Maybe you added it and forgot about it at an earlier date. I suppose it's possible they have it listed under additional repositories for the sake of convenience for Mint's users.

A word of warning I'd urge you to take heed of: Mint have had some severe security issues in the past, both in updating packages (by default they hold essential security updates such as to the kernel back for "stability") and issues on their server. In a nutshell, they have been running a large software project like amateurs and their servers were accordingly rooted. They had their servers compromised twice within the last two years, by means of outdated and ill-configured Wordpress plugins. Their forum contents, including user details and passwords, were compromised and put up for sale for a paltry sum on some dodgy website (if I remember the reporting at the time, this happened more than once); and downloads were replaced with malicious ISO images that included spyware. There is no evidence they changed their security practices, so it's reasonable to suggest that their servers are still compromised, or that it is so trivial to do so that it will happen again. I would recommend installing Debian or Ubuntu directly, as both these distributions have good security practices.

But the only package that shows up in Mint's software manager is
"torbrowser-launcher", maintained by Ubuntu Developers
<ubuntu-devel-discuss@xxxxxxxxxxxxxxxx>.
I was curious if anyone used this torbrowser-launcher, or if
Torproject devs would highly frown on it?

Its description:  "helps download & install torbrowser." Doesn't
mention anything about it verifying TBB signature, which I always do.

This is the description:

"When you first launch Tor Browser Launcher, it will download TBB from
https://www.torproject.org/ and extract it to ~/.local/share/torbrowser,
and then execute it.
Cache and configuration files will be stored in ~/.cache/torbrowser and
~/.config/torbrowser.
Each subsequent execution after installation will simply launch the most
recent TBB, which is updated using Tor Browser's own update feature.
where TBB would be installed."

Tor Browser Launcher is not produced by the Tor Project. It was in Debian Jessie (8, oldstable) in the contrib section, because, while distributing only free software, it downloads executable software that Debian does not build from source. It was removed from Debian Stretch (9, the new stable version) because it was difficult to maintain. The problems related to the way it does signature verification - it has a GPG keyring of the Tor Browser developers' keys, and then it verifies the signature against that. However, because of how it is designed, sometimes false positives occur when the keys of the Tor Browser developers change or are updated, and it will always print a scary warning that signature verification failed.

See https://github.com/micahflee/torbrowser-launcher/issues/263

Best,
Duncan
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk