[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #8286 [Tor bundles/installation]: Fetch software during TBB build process only over trusted HTTPS



#8286: Fetch software during TBB build process only over trusted HTTPS
--------------------------------------+-------------------------------------
 Reporter:  ioerror                   |          Owner:  erinn
     Type:  enhancement               |         Status:  new  
 Priority:  major                     |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------
 Currently, we fetch software using wget and we do so with all certificate
 checking disabled. I believe we should have a mirror of all the source
 code that we expect people to download and we should offer it over HTTPS.

 I've put up such a mirror here as a proof of concept:
 https://people.torproject.org/~ioerror/src/mirrors/

 I'll attach some patches to help ensure that we allow wget to verify the
 HTTPS cert and to ensure that we use the secure mirror.

 Later, we can find a location for a mirror that is more permanent as this
 improves the security of the build process tremendously. It also improves
 the reliability as some of the download sites are extremely slow or use
 protocols that are prone to censorship. :(

 Thoughts?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8286>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs