Sherief Alaa: > But this is all an endless chain because lets say I download TBB, then > download gpg to verify it but then how do I make sure that gpg it self > wasn't tampered with? (assuming I don't have it installed already.) Indeed that's an endless chain and turtles all the way down. plus (as you already mentioned) you also need to install gpg for osx and windows; Which in windows case there's absolutely no secure way to download pgp itself. Poor windows users are screwed by *design* That being said, I totally support making this process easier. In fact, I dream a day where TBB could itself (or TorButton perhaps) check and see if all of it's executable files are identical to the latest version on repository in a secure way without confusing (or even say noticing) the average user. Maybe this can be part of the auto-update project? But whatever it is, it can't be a simple tiny app. -- Nima 0XC009DB191C92A77B | mrphs "I disapprove of what you say, but I will defend to the death your right to say it" --Evelyn Beatrice Hall
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev