Proposal 227 added a method for putting non-little-t-tor package versions and digests in the consensus, intended to authenticate Tor Browser updates. This is done in tor 0.2.6, although itâs not yet in use by Tor Browser or the consensus. I propose using this feature to notify Ricochet[1] users of software updates. My reasoning is: - Itâs vital to the security of Ricochetâs users that theyâre quickly notified of version updates - Tor is the only infrastructure Ricochet uses; adding an âupdate serverâ would harm its model - The consensus-based method is better than anything we can independently do - I think Ricochet is an ideal case of where this work can be useful The benefits from my side are obvious, but itâs less clear if this is appropriate for Tor. Ricochet users[2] are an extremely small portion of Torâs users, but this would be in every consensus. Some directory authorities would have to volunteer to keep those votes up to date. Iâm interested in feedback from the community in general, and especially from directory authorities on whether this is something theyâd be interested in supporting. Of course, even if people think this is a good idea, the burden is on me to convince DAs to lend their time. Thanks, - John [1] https://ricochet.im/ [2] Itâs part of the design that I canât accurately count users. My best guess is âlow hundreds, and growingâ.
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev