[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torproject package repository

With the exception that their servers are likely to still be rooted.


For future reference, Mint is based on Ubuntu. Find out the
corresponding version that Mint is basing on, and use the Tor Project's
Deb repository for that (this is almost certainly how it has been
configured). I don't know what Mint's policy is but I'd be very
surprised if this was default. Maybe you added it and forgot about it at
an earlier date. I suppose it's possible they have it listed under
additional repositories for the sake of convenience for Mint's users.

A word of warning I'd urge you to take heed of: Mint have had some
severe security issues in the past, both in updating packages (by
default they hold essential security updates such as to the kernel back
for "stability") and issues on their server. In a nutshell, they have
been running a large software project like amateurs and their servers
were accordingly rooted.
They had their servers compromised twice within the last two years, by
means of outdated and ill-configured Wordpress plugins. Their forum
contents, including user details and passwords, were compromised and put
up for sale for a paltry sum on some dodgy website (if I remember the
reporting at the time, this happened more than once); and downloads were
replaced with malicious ISO images that included spyware.
There is no evidence they changed their security practices, so it's
reasonable to suggest that their servers are still compromised, or that
it is so trivial to do so that it will happen again. I would recommend
installing Debian or Ubuntu directly, as both these distributions have
good security practices.

But the only package that shows up in Mint's software manager is
"torbrowser-launcher", maintained by Ubuntu Developers
I was curious if anyone used this torbrowser-launcher, or if
Torproject devs would highly frown on it?

Its description:  "helps download & install torbrowser." Doesn't
mention anything about it verifying TBB signature, which I always do.





Duncan, I think you're trashing a distro based on what happened in 17.3
from overseas. the smart thing is to checksum the download. There are a
few articles above that talk about this. and there are two sets that
verify the downloads now. So, in fairness, I believe Mint isn't any
different than Ubuntu or Debian. Don't forget Debian was vulned a while
back too. All of these come from the same place and some of these repos
are interchangeable. I think your subjective ideas are simply out of
date and wrong now. (P.S., there are more links to prove what I am
saying here)
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to