[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser

To: undisclosed-recipients: ;
Subject: [tor-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 21 Aug 2018 15:23:34 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Aug 2018 11:23:45 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27242: hash-stable source tarball release of torbrowser
------------------------------------------+----------------------
     Reporter:  w3ICKRsTMaxPeO            |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Could torbrowser please provide a source tarball release, which has a
 stable hash?

 The current releases are generated on-the-fly by git and a given release
 can have one hash today, but another hash tomorrow, even though it's the
 same release tarball.

 This poses a problem in any scenario where hash-verification of the source
 tarball is needed.

 Such is the case for instance with source-based GNU/Linux distros, like
 Gentoo. Package manager checks the hash of sources before building, for
 security and quality assurance reasons.

 The stability does not mean that the sources must be available for
 extremely long time. It's OK if they vanish, because Gentoo has a
 mirroring system in place. The only requirement is that a given source URL
 has a constant hash.

 Reference of a downstream bug:
 https://github.com/MeisterP/torbrowser-overlay/issues/14

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27242>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #27261 [Applications/Tor Browser]: Tor Browser 8.0a9/10 gets stuck in an endless reload cycle
Next by Author: Re: [tor-bugs] #8228 [Applications/Tor Launcher]: Tor Launcher: Ensure we always have a Tor on 127.0.0.1:9050 (was: Ensure we always have a Tor on 127.0.0.1:9050)
Previous by thread: [tor-bugs] [Tor Bug Tracker & Wiki] Batch modify: #24986, #24990, #25651, #25727, ...
Next by thread: Re: [tor-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser
Index(es):
- Author
- Thread