-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2013.07.01 17.28, adrelanos wrote: > Eleanor Saitta: >> On 2013.07.01 15.15, Julian Oliver wrote: >>> ..on Mon, Jul 01, 2013 at 06:03:01PM +0000, adrelanos wrote: >>>> In response to "the tool doesn't exist"... >> >>> apt-get install tor && torify wget http://path.to/file >> >> And how did you verify the trust path for your initial debian >> install? > > Thats a different issue to be discussed and solved separately.
No, it really isn't. Either you have a trustable chain or you don't. Now, admitting that you have no trustable chain is fine; it means you're looking at outcomes and scope of compromise required to affect a single user, etc., because that's all that you've got left. In fact, it's useful to start thinking this way, because then, while chain of custody in the download process is still important, you start thinking about detection of interference rather than assuming that your house-of-cards updater will always work. Which it won't, no matter how good it is, if for no other reason than that it will have bugs which someone will eventually exploit. E. - -- Ideas are my favorite toys. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iF4EAREIAAYFAlHSOSMACgkQQwkE2RkM0wqFdAEAje76I5CbHdDQ+HtBB2b2b5Eg iXspCoeAQ0t0eda0fL0A+wT2eaCEyXRlqLFAp8UW9f6Y6m8hqddR3yAvST+ACuNV =gqUf -----END PGP SIGNATURE----- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech