Lexi Pimenidis wrote: > On Wed, Sep 16, 2009 at 07:18:09AM CEST, Jacob Appelbaum wrote: > > Hej everybody, Hey hey Lexi (and others), > >> http://www.cl.cam.ac.uk/research/dtg/android/tor/ > > Uh, first time I learn from this project. Good times. > >> Do we want to look at the project as a good starting point? Should we >> consider it time, as a community, to pick up where Lexi left off? > > (for the record: it was a whole bunch of people...) > I oversimplified the list a bit. :-) >> Should we get the C client ported over to Android and packaged up? > > I haven't been developing apps for Android, hence I don't know to which extend > porting the C client will work. However, one of the many (long-term, and not > yet fulfilled) intentions of developing OnionCoffee was to avoid that a bug in > the very single application running th Tor network could be used to exploit > all clients. (However, I agree that the Tor-client is one of the best audited > pieces of software I've seen) That's a very good point and a good reason to have another Tor implementation. > > Hence my opinion is: sure, go ahead. OC was never ment to replace the original > client in any way. On the other hand we invested a significant amount of time > into it, so maybe it is worth the effort (for some open source developers) > to remove the bugs and keep it more or less up to date. > Is there a bug tracker or a source code manager that's currently in use? Would you be interested in moving this into Tor's subversion and using our Fly Spray? Roger will happily set you up with that if you're interested. >> Adam Langley did a build of the C Tor client for Android: >> http://www.mail-archive.com/or-talk@xxxxxxxxxxxxx/msg09408.html > > Well done :) I think that everything is merged into git-master and it's all ready to go; we'd just need a build setup similar to what Adam used... > >> I think having Tor on Android is very important and it's a good first >> step to having anonymity enabled mobile devices. > > I agree. If anywhere, mobile devices are in need of more privacy. ... > >> ----------------------- 2nd email ------------------- > [.. a lot of accurate and correct stuff cut..] > >> From just a cursory look, I do not believe it is safe to use OnionCoffee >> derived software when security or anonymity are desired properties. > > You're completely right. OnionCoffee is more like a research platform than > suitable for wide deployment (in its current state). Ok, I'm glad to hear that as a confirmation! > >> It doesn't seem like it would be impossible to fix these things and it seems >> likely that if we shake the tree, we'll find more stuff to fix... > > I guess so. However, I personally do not have the time for contributing > significant amounts of time into OC - still, I'd be more than happy to > support those who do. Great! > Maybe we could look for contributers on the main tor mailinglist - my guess > is that there are a bunch of people out there who know to code Java and > would gladly be able to send in fixes. At least I myself, maybe Andriy too, > could read the diffs and check in thos, which seem to advance the current > state. It seems like we need to have a specification for a client and then we need to ensure that the client is properly implemented. Some of this stuff is specified and some of it is simply done in the reference implementation. Having a good idea about the end goal seems like it will help. What's the current status of Onion Coffee? Can it do the newest Hidden Service stuff? Is it a full OR relay? If the v3 signatures are fixed, will it need a lot of other crypto work? Send us a brain dump :-) Best, Jacob
Attachment:
signature.asc
Description: OpenPGP digital signature