[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor source code



Suhaib Mbarak writes:

> Dear all.
> 
> My question is to make sure wether tor source code is open and available
> for public or not?

Yes, it has always been since the beginning of the project.  Currently,
the code is available at

https://gitweb.torproject.org/tor.git

> In case it is open source and can be modified how it is secure?!!!!

Open source means that anyone is allowed to make their own changes (and
share those with the public if they want), but there is an official
version from the Tor Project which only official Tor maintainers can
change.  The official Tor maintainers receive suggestions from the public,
but they make the final decision about whether or not other people's
changes can become part of the official version of Tor.

For example, if you wanted to change something, you could make your own
modified version without anyone's permission, but it wouldn't be the
official version.  You would need to ask the maintainers to adopt your
changes if you wanted them to become part of the official version.

There is still an interesting question about whether people could somehow
trick the Tor maintainers into including a change that is actually
detrimental, even though it appears to be useful.  In many ways, the Tor
project relies on public scrutiny to confirm that changes that get
included in the official version are useful and don't introduce problems
or security holes.  There is a fairly broad consensus that this is a
useful way to work, yet I don't think that people are confident that all
of the risk has been mitigated, since there are also security research
projects that show that there are ways of intentionally creating bugs
that are subtle and carefully disguised as useful functionality.

So, there is still a need for ongoing research about how to learn to
detect (whether by human knowledge, by coding standards, by using
different languages or libraries, by creating new software tools, or
by something call formal methods where properties of code are proven) if
people are trying to disguise or hide a bug or vulnerability inside of a
useful contribution.

The Tor Project has actually thought about this issue a lot, if you're
very interested in it... there are probably other resources and
presentations that you could look at that further examine the issue.

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk