Re: [tor-dev] TUF Repository for Tor Browser

[Lunar]

ban...@openmailbox.org:
> Thanks Lunar for the update. I thought the effort to upstream TBB had
> completely stalled because there was no activity on #3994. Good to know its
> still alive.
> 
> Is there somewhere I could look to track progress besides that ticket?

Don't misunderstand me. To the best of my knowledge, no one is working
on this at the moment. I was just sharing my picture of the situation.

-- 
Lunar 


signature.asc
Description: Digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] TUF Repository for Tor Browser

[bancfc]

On 2016-06-10 18:27, Lunar wrote:

ban...@openmailbox.org:

Rehash of previous discussions on the topic:


See #3994.


The major reasons why TBB is not in the Debian repository:

* The reproducible build system depends on a static binary image of 
(then

Ubuntu) which runs counter to Debian policy.


It's likely not a problem if built from source.

* TBB is based on Firefox ESR and not Iceweasel which also runs into 
the "no

duplicate source  package" policy of Debian.


I've discussed this with Debian security team a while ago and they are
ok with duplicate source code as long as the updates are done in a
timely manner. Tor Browser has a good record, so it's fine.

Reasons for unavailability of TBB .deb in the Tor Project APT 
repository:


* The break neck speed of development


A regular build could probably be automated via Jenkins.

* Its not easily packaged and the amount of effort needed is better 
spent

otherwise.


As far as I understand, the main issue is that Tor Browser only works
with a single (pre-populated) profile which can't be shared amongst
multiple users. Once this is solved, and Tor Browser can be installed
system-wide, getting a package should not be very hard.

Hope that helps,


Thanks Lunar for the update. I thought the effort to upstream TBB had 
completely stalled because there was no activity on #3994. Good to know 
its still alive.


Is there somewhere I could look to track progress besides that ticket?
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] TUF Repository for Tor Browser

[meejah]

carlo von lynX  writes:

> The README sounds good, but it being implemented in python adds quite
> a heavy additional dependency.

My understanding is that TUF is two things: a spec, and a reference
implementation (in Python). I'm sure other implementations would be
welcome -- and, e.g., Docker Notary is such an implementation (in Go) as
I understand it.

-- 
meejah
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] TUF Repository for Tor Browser

[Lunar]

ban...@openmailbox.org:
> Rehash of previous discussions on the topic:

See #3994.

> The major reasons why TBB is not in the Debian repository:
> 
> * The reproducible build system depends on a static binary image of (then
> Ubuntu) which runs counter to Debian policy.

It's likely not a problem if built from source.

> * TBB is based on Firefox ESR and not Iceweasel which also runs into the "no
> duplicate source  package" policy of Debian.

I've discussed this with Debian security team a while ago and they are
ok with duplicate source code as long as the updates are done in a
timely manner. Tor Browser has a good record, so it's fine.

> Reasons for unavailability of TBB .deb in the Tor Project APT repository:
> 
> * The break neck speed of development

A regular build could probably be automated via Jenkins.

> * Its not easily packaged and the amount of effort needed is better spent
> otherwise.

As far as I understand, the main issue is that Tor Browser only works
with a single (pre-populated) profile which can't be shared amongst
multiple users. Once this is solved, and Tor Browser can be installed
system-wide, getting a package should not be very hard.

Hope that helps,
-- 
Lunar 


signature.asc
Description: Digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] TUF Repository for Tor Browser

[carlo von lynX]

On Fri, Jun 10, 2016 at 04:22:04PM +0200, ban...@openmailbox.org wrote:
> In light of the technical obstacles that prevent packaging Tor
> Browser (see below), I propose operating a repository that relies on
> The Update Framework (TUF) [0]. TUF is a secure updater system
> designed to resist many classes of attacks [1]. Its based on Thandy
> (the work of Roger, Nick, Sebastian and others).

The README sounds good, but it being implemented in python adds quite
a heavy additional dependency. Isn't the same achievable by means of
a git library, using signed git commits and additional consistency
checks (git fsck or something). This should only allow for updates
which are forward in time and signed by the correct authors.
Additionally you could check(sum) the commit times, thus ensuring
that an update didn't get intentionally cut-off at last month's
insecure version. This would address most of the points you list in
https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt

Additionally, if git is only used for the metadata, leaving to the user
to decide when to download or torrent a certain new hashed version, then
it can provide daily or weekly keep-alive commits, making it hard for
an attacker to usurp the rare condition by which a torbrowser that has
not been used for months needs updates and could be lured into fetching
an insecure version. Maybe the git library needs to be hardened regarding
"endless data" and "slow retrieval" attacks, which would then be
something any git user would appreciate.

I personally am not affected by the debian issues. Since I
never understood why it should make sense to trust the debian
build process I happily enjoy MeisterP's excellent torbrowser
overlay for Gentoo. I even get to configure it so that it uses
my Tor router rather than any embedded one.


-- 
  E-mail is public! Talk to me in private using encryption:
 http://loupsycedyglgamf.onion/LynX/
  irc://loupsycedyglgamf.onion:67/lynX
 https://psyced.org:34443/LynX/
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

[tor-dev] TUF Repository for Tor Browser

[bancfc]

In light of the technical obstacles that prevent packaging Tor Browser 
(see below), I propose operating a repository that relies on The Update 
Framework (TUF) [0]. TUF is a secure updater system designed to resist 
many classes of attacks [1]. Its based on Thandy (the work of Roger, 
Nick, Sebastian and others).


The advantage of this proposal is that (Tor based distros and others in 
general) can finally retire the TBB downloaders and shed the maintenance 
burden. Also there is no need to re-invent secure download mechanisms 
when there is a project that already covers this.


***

Rehash of previous discussions on the topic:

The major reasons why TBB is not in the Debian repository:

* The reproducible build system depends on a static binary image of 
(then Ubuntu) which runs counter to Debian policy.


* TBB is based on Firefox ESR and not Iceweasel which also runs into the 
"no duplicate source  package" policy of Debian.



Reasons for unavailability of TBB .deb in the Tor Project APT 
repository:


* The break neck speed of development

* Its not easily packaged and the amount of effort needed is better 
spent otherwise.




***

[0] https://theupdateframework.github.io/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev