[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser
#27242: hash-stable source tarball release of torbrowser
------------------------------------------+----------------------
Reporter: w3ICKRsTMaxPeO | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Could torbrowser please provide a source tarball release, which has a
stable hash?
The current releases are generated on-the-fly by git and a given release
can have one hash today, but another hash tomorrow, even though it's the
same release tarball.
This poses a problem in any scenario where hash-verification of the source
tarball is needed.
Such is the case for instance with source-based GNU/Linux distros, like
Gentoo. Package manager checks the hash of sources before building, for
security and quality assurance reasons.
The stability does not mean that the sources must be available for
extremely long time. It's OK if they vanish, because Gentoo has a
mirroring system in place. The only requirement is that a given source URL
has a constant hash.
Reference of a downstream bug:
https://github.com/MeisterP/torbrowser-overlay/issues/14
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27242>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs