[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] TBB Gentoo ebuild



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

12 Aug 22:56 Mansour Moufid:
> Even with webrsync you still have to trust the mirror(s), and then
> the Gentoo release infrastructure...

Forgive me my bluntness, but how is that different from trusting you?

The methods are reliable, being Manifests and webrsync, the unknown
variable is the trust you give the ones providing you with ebuilds.
But those are identified by gpg on both levels.

And the TBB is even worse, cause I also have to trust what's in the
binaries. There is no way to tell what was actually compiled there. It
could be something different than the sources on the git server.


13 Aug 00:28 Matthew Finkel:
> 4) Given 3), is there a reason Tor is not at least an optional
> RDEPEND for torbrowser via a USE flag (or another way)?

There are no optional runtime-only dependencies in gentoo, this could
change with GLEP 62.
http://www.gentoo.org/proj/en/glep/glep-0062.html

I could however tell the user after compilation that he might want to
use tor with this...erm... but I thought that's obvious. The fact that
it's not forced for RDEPEND is simply, because there are setups where
this is not wanted/required.


13 Aug 00:28 Matthew Finkel:
> 5) If you did/do intend to create an ebuild for the TBB and not
> just the browser, it should provide the exact same experience as if
> the user downloaded it from torproject.org. I think this should
> include Vidalia launching Torbrowser once the network is
> configured.

Definitely not. The intention is not to provide an all-in-one experience.
I already had those arguments with the guys from #tor

All I am interested in is the question about the firefox build-time
configuration and if different build-time configurations could lead to
vulnerability in the tor network. If there is the slightest doubt
about that, I will remove this ebuild at once or fix it.


- -
hasufell

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQOpaJAAoJEFpvPKfnPDWzpI4H/igZDuVGyjdKEl9SvvV9gnY0
72esQTiHfx00gO42lOguutwBX54DV/S7HggEZy1P9UIi5gfJckrFKsM3Y9oD9tUX
X9EZA6WEU3F90MD0gFFxH2jcoEbm85UfjJkEwI2Hy1+lEOPAZqzBV1F0sBE/Xd/U
WwIgAHy8jKsTI1RTIW8r4VOoexifCllWvjbKiDNxeeixTQhwhvrCWnbqTI0WKR95
Er6LNwwYNh+Ugu7s6OwR7o3cUAuOXt3LUjf45bEGAgPF+lrqsXrfB9N5ANu+3177
94sxHgzYkRSsORjjl678/tZFfyp1jagX1FcT6O1dd/J4sHqfRdyZfy29d0DH/e0=
=gCI5
-----END PGP SIGNATURE-----
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev