[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torproject package repository

To: dguthrie@xxxxxxxxxx, tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] torproject package repository
From: James <james@xxxxxxxxxxxxx>
Date: Thu, 10 Aug 2017 22:38:00 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 10 Aug 2017 18:38:34 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=insiberia.net; s=stigmate; t=1502404699; bh=zYXqXMBM0pBREmpA+a3cEijdOxHMsXw/gyGqXrBiWtw=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=X1PpgTfi8P2PB0zlUogGja/oC0D1w2wJkHm4Y9TdDe9nU2GL1BLGm4Dz5pJ7PcUFI tZWTPsXNSdchkfXrJ8UsyFj9NulEQ6l98idWv1neTgk7o3+mmuSRrXZpVBDpFuC+tH 9rmi9v7fsvKpFq4BZBgMGPDmx/oCc1Ew2osGtpaE=
In-reply-to: <b8cf9d011568bd2024bb80e2fc3b3eea@posteo.net>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <b36e3d2b-d0a6-e0a0-7b04-0a3b11080308@gmx.com> <dd9a9d68a8b5ad8b2ea99a0887ec6f0e@posteo.net> <25d56081-02a2-969f-f7bf-9877f21150ab@insiberia.net> <b8cf9d011568bd2024bb80e2fc3b3eea@posteo.net>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

With that logic, Debian still is too.

dguthrie@xxxxxxxxxx:
> With the exception that their servers are likely to still be rooted.
> 
> James:
>> Duncan:
>>
>>>
>>> For future reference, Mint is based on Ubuntu. Find out the
>>> corresponding version that Mint is basing on, and use the Tor Project's
>>> Deb repository for that (this is almost certainly how it has been
>>> configured). I don't know what Mint's policy is but I'd be very
>>> surprised if this was default. Maybe you added it and forgot about it at
>>> an earlier date. I suppose it's possible they have it listed under
>>> additional repositories for the sake of convenience for Mint's users.
>>>
>>> A word of warning I'd urge you to take heed of: Mint have had some
>>> severe security issues in the past, both in updating packages (by
>>> default they hold essential security updates such as to the kernel back
>>> for "stability") and issues on their server. In a nutshell, they have
>>> been running a large software project like amateurs and their servers
>>> were accordingly rooted.
>>> They had their servers compromised twice within the last two years, by
>>> means of outdated and ill-configured Wordpress plugins. Their forum
>>> contents, including user details and passwords, were compromised and put
>>> up for sale for a paltry sum on some dodgy website (if I remember the
>>> reporting at the time, this happened more than once); and downloads were
>>> replaced with malicious ISO images that included spyware.
>>> There is no evidence they changed their security practices, so it's
>>> reasonable to suggest that their servers are still compromised, or that
>>> it is so trivial to do so that it will happen again. I would recommend
>>> installing Debian or Ubuntu directly, as both these distributions have
>>> good security practices.
>>>
>>>> But the only package that shows up in Mint's software manager is
>>>> "torbrowser-launcher", maintained by Ubuntu Developers
>>>> <ubuntu-devel-discuss@xxxxxxxxxxxxxxxx>.
>>>> I was curious if anyone used this torbrowser-launcher, or if
>>>> Torproject devs would highly frown on it?
>>>>
>>>> Its description:  "helps download & install torbrowser." Doesn't
>>>> mention anything about it verifying TBB signature, which I always do.
>>>>
>>
>>> Best,
>>> Duncan
>> http://www.infoworld.com/article/3182824/linux/is-linux-mint-a-secure-distribution.html
>>
>>
>> https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/
>>
>>
>> https://superuser.com/questions/882957/how-to-make-sure-that-repositories-added-to-linux-mint-are-safe-and-secure
>>
>>
>> https://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php
>>
>> Duncan, I think you're trashing a distro based on what happened in 17.3
>> from overseas. the smart thing is to checksum the download. There are a
>> few articles above that talk about this. and there are two sets that
>> verify the downloads now. So, in fairness, I believe Mint isn't any
>> different than Ubuntu or Debian. Don't forget Debian was vulned a while
>> back too. All of these come from the same place and some of these repos
>> are interchangeable. I think your subjective ideas are simply out of
>> date and wrong now. (P.S., there are more links to prove what I am
>> saying here)
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] torproject package repository
  - From: Joe Btfsplk
- Re: [tor-talk] torproject package repository
  - From: Duncan
- Re: [tor-talk] torproject package repository
  - From: James
- Re: [tor-talk] torproject package repository
  - From: dguthrie

Prev by Author: Re: [tor-talk] MTor (multicast tor), is it going to be released?
Next by Author: Re: [tor-talk] torproject package repository
Previous by thread: Re: [tor-talk] torproject package repository
Next by thread: [tor-talk] Tor, DNS leaks, and BrowserLeaks.com
Index(es):
- Author
- Thread