[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #7989 [Website]: revise OS X relay instructions
#7989: revise OS X relay instructions
---------------------+------------------------------------------------------
Reporter: phobos | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone:
Component: Website | Version:
Keywords: | Parent:
Points: | Actualpoints:
---------------------+------------------------------------------------------
Comment(by arfarf):
I have a few concerns with steps 1 and 2, and usage of Homebrew in
general.
Step 1:
{{{
ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"
}}}
This will insecurely (-k = no certificate checks) load code from Homebrew
and send it to the ruby interpreter. This is how Homebrew advertises their
install method, but it isn't secure in the slightest. I'm not aware any
reasonably secure way to bootstap Homebrew, as it wasn't designed with
security in mind.
{{{
brew install tor
}}}
The only verification done here will be a check of the MD5 checksum
provided by brew. I suppose it may be possible to download the Tor
tarball, confirm the signature with GPG, and move the tarball to the
/Library/Caches directory before running the install command; however any
minor mistakes in the process would just cause brew to download the
source.
A better solution may be packaging and signing a standalone Tor relay
build, so that concerned end-users can verify GPG signatures.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7989#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs