The Gitian tools have this: https://github.com/devrandom/gitian-builder/blob/master/share/gitian_updater.py
which could be adapted to work with other network protocols (e.g. Torrent). On 07/01/2013 11:03 AM, adrelanos wrote: > In response to "the tool doesn't exist"... > > You can create a really great privacy preserving application, Open > Source, but when you want to share it with the world, it's difficult to > ensure, that users actually get legit versions. > > Goal: > > - big file downloads > - at least as secure as TLS > - at least as simple as a regular download using a browser > - not using TLS itself (too expensive) for bulk download > > The problem: > > 1. Unauthenticated downloads can get infected with malware on the fly > and we're living in a world were governments are interested in doing so > or already doing it. > > 2. There are no free Open Source hosts providing TLS or any other kind > of authentication usable by layman. (github doesn't provide downloads > anymore, sourceforge "only" offers unlimited free http downloads, no TLS.) > > 3. TLS downloads are expensive. I am creating Free Software myself > already (Whonix), but I am not willing to pay hundred of dollars every > month for TLS downloads and many other producers of Free Software aren't > willing to do that as well. That's just the reality. > > 4. Gpg verification - almost no one uses it. Technically, it works okay, > you can share your OpenPGP public key over TLS (web traffic isn't the > most expensive thing, downloads are) or even web of trust (non-anonymous > people) and it can verify builds. Since only one in twenty persons (or > worse) uses it for verification, for whatever reasons, its not the solution. > > 5. Windows doesn't even have a package manager like Debian has apt-get. > (Sorry, I am ignorant about Windows 8 and its app store thingy and not > sure if FOSS developers can easily add their software.) > > 6. Linux distributions, such as Debian have awesome updating systems > (Debian has apt-get, which even defeats The Update Framework threat > model [1], other distributions may have similar great updaters. > > Problem: its far from easy to get software into the repository, you need > to create packages following their policy, need to be a Debian developer > or need a sponsor, thats absoutely non-trivial, many projects just > failed or have given up (example: Retroshare). > > Usually their repository is filled up with high quality packages. Just > many projects/newer projects not capable/compatible/etc. with that end > up using less secure methods to share their software. There is nothing > in the middle such as a PPA service. (Ubuntu has a PPA service, but > Ubuntu should be avoided for other privacy issues [2].) > > 7. Metalink could solve it, if there where metalink downloaders > supporting OpenPGP, but there aren't any. > > 8. Mainstream browsers don't come with Metalink/OpenPGP support out of > the box, so you'd still have to tell users "you have to download tool X > to download our tool Y". > > In conclusion: > > I don't think we need a gpg4win downloader, a TBB downloader, Tails > downloader, a Whonix downloader... Thats just a lot duplicate effort and > another bootstrap issue: how to share the download tool itself? Make it > small and share it over TLS? > > I think, this kind of tool doesn't exist yet. > > References: > > [1] https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses > [2] > https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
