[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8542 [GetTor]: More options on how to get the bundles

Subject: Re: [tor-bugs] #8542 [GetTor]: More options on how to get the bundles
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 22 Jan 2014 03:46:22 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jan 2014 22:46:18 -0500
In-reply-to: <045.42e6fc25f4274508080985ac868c50ee@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <045.42e6fc25f4274508080985ac868c50ee@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#8542: More options on how to get the bundles
-----------------------------+-----------------
     Reporter:  mrphs        |      Owner:
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  GetTor       |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------

Comment (by mrphs):

 For the sake of having public record, as requested by sukhbir and phobos,
 I'm going to copy/paste my reply from a non-public thread to here.

 ===============


 > > When I played with !GetTor, and tried to make it send via Gmail, I
 registered [redacted] a.t gmail. I don't think the username really
 matters, as it does not show up in the URLs, does it?

 > It should not matter and this should be fine. Are you OK with sharing
 the details of this account? If yes, please pass them on to me, CCing Nima
 and anyone else who would like to have access to the account.


 we should be super cautious about these accounts. as if someone would be
 able to get a hold of them or recover any of them, would be able to send
 malicious software to a huge number of users. And please have it in mind
 we made this dropbox account just for test.  I don't know how we keep
 credentials at Tor Project. Maybe weasel or phobos can help us here?

 > > You still send out 5 or something links pointing to direct mirrors, do
 you? At least you should.

 > No because I have been told that those mirrors no longer work. If this
 information is incorrect, please point me to the mirrors and I will update
 the message.


 in an ideal situation, we should provide options for users on how they
 would like to download the bundles. and we should do it in our first
 (welcome) email.

 Options such as cloud links, zip file, mirrors, magnet, torrent, etc.

 And yes, you're right that we should send out at least one mirror link
 with every request. I say one as I believe we should keep it as minimal as
 we can. we need room to teach them how to check sig and hash.


 > I would like to see what the recent situation is? Because like Iran was
 also blocking some websites but now the situation is different. Is China
 actively blocking Gmail and Dropbox? If yes, then I am open to ideas for
 newer services because right now our implementation supports only Gmail
 and Dropbox. Of course this means you have to suggest some services which
 have an API that we can make use of and that we can "trust" :)


 I don't think if we necessarily need to ''/trust/'' any of these could
 services. what we need to do is to make sure users always check the
 signatures and sha256sum.

 Google, dropbox and bunch of other western services are blocked in china
 and I'm not sure if you remember, but I had this idea of ...

 (bare with me, it may sound horrible but needs more discussion)

 using Chinese cloud services (including but not limited to 'baidu'). I
 even checked their API and there are some cool hacks which we can upload
 our bundles to their cloud without them knowing where is it coming from.

 well they probably can run a filter and check the hash, detect and drop
 the file, but I have some ideas to get around that too.  Anyways  I mean,
 we're brainstorming, right? plus, cloud is cloud. us, uk or chinese
 services. what's the difference? I believe we should just take the
 advantage of it. and teach our users how to make sure they got the right
 piece of software.

 PS: for the sake of record: one other thing we should keep it in mind is
 to find a way to send out a new short-user-manual out with our emails. but
 I'd leave it to another discussion.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8542#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #6591 [GetTor]: Allow emails from @outlook.com users
Next by Author: [tor-bugs] #10692 [GetTor]: GetTor needs official two-factor-enabled dropbox and google accounts
Previous by thread: Re: [tor-bugs] #8542 [GetTor]: More options on how to get the bundles
Next by thread: [tor-bugs] #10592 [Website]: Consider adding analytics if it can be anonymized.
Index(es):
- Author
- Thread