[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13379 [Tor Browser]: Sign our MAR files
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security, TorBrowserTeam201411R
Browser | Parent ID:
Resolution: |
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
Replying to [comment:19 mcs]:
> Replying to [comment:17 boklm]:
> > The change to add the --createIncrementalMARs command line to
update_responses looks good.
> >
> > The other changes introduce a single makefile rule to generate the
incremental mar files and sign them. I am wondering if we should separate
the incremental mar files generation, and the signature, to allow a
process like this:
> > - build tor-browser
> > - generate incremental mars
> > - upload sha256sums.incrementals.txt of unsigned mar files
> > - check that sha256sums.txt and sha256sums.incrementals.txt are
matching
> > - sign the mar files, update responses xml files and upload
>
> It would be simple to keep 'incrementals' as a separate Make target.
The reason I put everything in one script was to make it less likely that
things would happen in the wrong order.
>
> gk or mikeperry: What do you think? What will the release process look
like once we need to sign the MAR files?
I think we should use a process that allows independent builders to check
whether they got the same results as we easily. And this means, I think,
we should follow boklm's idea: building everything including the
incremental MAR files and uploading everything and then in a separate step
doing the signing and all the things needed for getting the updates
delivered. I see at least two important reasons why we want to do it this
way:
1) We want to have many builders to make it less likely our builds are
compromised. Building with gitian is already tedious and we should not
make it even more difficult to get matching builds which we we would if we
included the signing before the SHA sum creation.
2) There may be people that trust our reproducible build system but not
the complex signing process/code and fetching some update from some
server. Following boklm's idea they could pretty well get the benefits of
building Tor Browser themselves and applying the MAR update manually
(which users are already doing).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs