Eleanor Saitta: > On 2013.07.01 15.15, Julian Oliver wrote: >> ..on Mon, Jul 01, 2013 at 06:03:01PM +0000, adrelanos wrote: >>> In response to "the tool doesn't exist"... > >> apt-get install tor && torify wget http://path.to/file > > And how did you verify the trust path for your initial debian install
It is easy enough for me, nearly impossible for regular users. I verify the signature. I very the trust path by having been to DebConf and attending key signing parties. Having a trust path to the people who sign the releases is important, of course. Long ago, I was trying to install an extra package from OpenBSD - for some strange reason, I needed a package that was not on the CD or the CD was no longer in the machine. In any case, I found the package on the OpenBSD mirrors but weirdly, it was the only package not in the published hash to filename list. Eventually I found myself on irc asking for a hash of the file, only to be mocked in the typical arrogant OpenBSD style. I sent patches to ensure others would not need to ask the questions I was asking, I suggested ensuring all files were hashed and if possible, that there was at least a signature or a key on the release CDs, etc. I really made an effort to document and suggest positive fixes for each issue that concerned me. Eventually, someone questioned my entire motivation - "Where did you get the CD?" - "how do you know it wasn't tampered with in the mail?" - "How do you know the person from OpenBSD was really from OpenBSD and not just someone selling cds at a conference" and similar questions. The basic idea was this arrogant "don't complain about a few missing details, you have your own problems too" dismissal that really was perhaps the most funny part of the entire ordeal. So i let them know that I was living in Calgary when I received the CD and that I received my first copy of OpenBSD on CD from Theo himself. He gave it to me while I was touching cvs.openbsd.org in his basement. For a while I was living in Calgary which just happened to be down the street from him in Canada. It was at that point that someone chimed in to say something to the effect of "Yeah, well, not everyone can do that..." We need a secure downloading tool, we need it to be built into every OS by default and until then, we'll have to rely on tricks to hack it - preloading certs in browsers, having a website to download it from and so on. All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
