[tor-dev] Why not use The Update Framework? (TUF)

[adrelanos <adrelanos@xxxxxxxxxx>]

> For TBB 3.0, we should use the Firefox updater. We should audit the
Firefox updater for issues, and triage which of Thandy's features we
should merge to it. (For example, we might want to sign the metadata
file if it isn't signed; timestamp it if it isn't timestamped, add
multiple-signature support, and so on.) [1]

That sounds like reinventing the wheel.

> Thandy was a good research platform, not a long-term piece of software
we want to support. [1]

Why not use its predecessor, TUF? [2] [3]

TUF is written in python, and after all those years, TUF developers are
still maintaining it and actively developing it. I think in future TUF
will become a mature and widespread solution. Also work is being done to
let pip (the python library installer) internally use TUF. So it can't
be so bad after all?

If you have discussed this and reasons for rejecting, fine. Just wanted
to throw it in, because I think basing this feature on another active
project (TUF) works better than reinventing the wheel.

[1] Commenting on:
https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/BundleUpdatePlan
[2] https://www.updateframework.com/
[3] https://github.com/theupdateframework/tuf
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev