Re: [tor-talk] torproject package repository
With that logic, Debian still is too. dguth...@posteo.net: > With the exception that their servers are likely to still be rooted. > > James: >> Duncan: >> >>> >>> For future reference, Mint is based on Ubuntu. Find out the >>> corresponding version that Mint is basing on, and use the Tor Project's >>> Deb repository for that (this is almost certainly how it has been >>> configured). I don't know what Mint's policy is but I'd be very >>> surprised if this was default. Maybe you added it and forgot about it at >>> an earlier date. I suppose it's possible they have it listed under >>> additional repositories for the sake of convenience for Mint's users. >>> >>> A word of warning I'd urge you to take heed of: Mint have had some >>> severe security issues in the past, both in updating packages (by >>> default they hold essential security updates such as to the kernel back >>> for "stability") and issues on their server. In a nutshell, they have >>> been running a large software project like amateurs and their servers >>> were accordingly rooted. >>> They had their servers compromised twice within the last two years, by >>> means of outdated and ill-configured Wordpress plugins. Their forum >>> contents, including user details and passwords, were compromised and put >>> up for sale for a paltry sum on some dodgy website (if I remember the >>> reporting at the time, this happened more than once); and downloads were >>> replaced with malicious ISO images that included spyware. >>> There is no evidence they changed their security practices, so it's >>> reasonable to suggest that their servers are still compromised, or that >>> it is so trivial to do so that it will happen again. I would recommend >>> installing Debian or Ubuntu directly, as both these distributions have >>> good security practices. >>> But the only package that shows up in Mint's software manager is "torbrowser-launcher", maintained by Ubuntu Developers . I was curious if anyone used this torbrowser-launcher, or if Torproject devs would highly frown on it? Its description: "helps download & install torbrowser." Doesn't mention anything about it verifying TBB signature, which I always do. >> >>> Best, >>> Duncan >> http://www.infoworld.com/article/3182824/linux/is-linux-mint-a-secure-distribution.html >> >> >> https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/ >> >> >> https://superuser.com/questions/882957/how-to-make-sure-that-repositories-added-to-linux-mint-are-safe-and-secure >> >> >> https://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php >> >> Duncan, I think you're trashing a distro based on what happened in 17.3 >> from overseas. the smart thing is to checksum the download. There are a >> few articles above that talk about this. and there are two sets that >> verify the downloads now. So, in fairness, I believe Mint isn't any >> different than Ubuntu or Debian. Don't forget Debian was vulned a while >> back too. All of these come from the same place and some of these repos >> are interchangeable. I think your subjective ideas are simply out of >> date and wrong now. (P.S., there are more links to prove what I am >> saying here) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torproject package repository
With the exception that their servers are likely to still be rooted. James: Duncan: For future reference, Mint is based on Ubuntu. Find out the corresponding version that Mint is basing on, and use the Tor Project's Deb repository for that (this is almost certainly how it has been configured). I don't know what Mint's policy is but I'd be very surprised if this was default. Maybe you added it and forgot about it at an earlier date. I suppose it's possible they have it listed under additional repositories for the sake of convenience for Mint's users. A word of warning I'd urge you to take heed of: Mint have had some severe security issues in the past, both in updating packages (by default they hold essential security updates such as to the kernel back for "stability") and issues on their server. In a nutshell, they have been running a large software project like amateurs and their servers were accordingly rooted. They had their servers compromised twice within the last two years, by means of outdated and ill-configured Wordpress plugins. Their forum contents, including user details and passwords, were compromised and put up for sale for a paltry sum on some dodgy website (if I remember the reporting at the time, this happened more than once); and downloads were replaced with malicious ISO images that included spyware. There is no evidence they changed their security practices, so it's reasonable to suggest that their servers are still compromised, or that it is so trivial to do so that it will happen again. I would recommend installing Debian or Ubuntu directly, as both these distributions have good security practices. But the only package that shows up in Mint's software manager is "torbrowser-launcher", maintained by Ubuntu Developers . I was curious if anyone used this torbrowser-launcher, or if Torproject devs would highly frown on it? Its description: "helps download & install torbrowser." Doesn't mention anything about it verifying TBB signature, which I always do. Best, Duncan http://www.infoworld.com/article/3182824/linux/is-linux-mint-a-secure-distribution.html https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/ https://superuser.com/questions/882957/how-to-make-sure-that-repositories-added-to-linux-mint-are-safe-and-secure https://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php Duncan, I think you're trashing a distro based on what happened in 17.3 from overseas. the smart thing is to checksum the download. There are a few articles above that talk about this. and there are two sets that verify the downloads now. So, in fairness, I believe Mint isn't any different than Ubuntu or Debian. Don't forget Debian was vulned a while back too. All of these come from the same place and some of these repos are interchangeable. I think your subjective ideas are simply out of date and wrong now. (P.S., there are more links to prove what I am saying here) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torproject package repository
Duncan: > > For future reference, Mint is based on Ubuntu. Find out the > corresponding version that Mint is basing on, and use the Tor Project's > Deb repository for that (this is almost certainly how it has been > configured). I don't know what Mint's policy is but I'd be very > surprised if this was default. Maybe you added it and forgot about it at > an earlier date. I suppose it's possible they have it listed under > additional repositories for the sake of convenience for Mint's users. > > A word of warning I'd urge you to take heed of: Mint have had some > severe security issues in the past, both in updating packages (by > default they hold essential security updates such as to the kernel back > for "stability") and issues on their server. In a nutshell, they have > been running a large software project like amateurs and their servers > were accordingly rooted. > They had their servers compromised twice within the last two years, by > means of outdated and ill-configured Wordpress plugins. Their forum > contents, including user details and passwords, were compromised and put > up for sale for a paltry sum on some dodgy website (if I remember the > reporting at the time, this happened more than once); and downloads were > replaced with malicious ISO images that included spyware. > There is no evidence they changed their security practices, so it's > reasonable to suggest that their servers are still compromised, or that > it is so trivial to do so that it will happen again. I would recommend > installing Debian or Ubuntu directly, as both these distributions have > good security practices. > >> But the only package that shows up in Mint's software manager is >> "torbrowser-launcher", maintained by Ubuntu Developers >> . >> I was curious if anyone used this torbrowser-launcher, or if >> Torproject devs would highly frown on it? >> >> Its description: "helps download & install torbrowser." Doesn't >> mention anything about it verifying TBB signature, which I always do. >> > Best, > Duncan http://www.infoworld.com/article/3182824/linux/is-linux-mint-a-secure-distribution.html https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/ https://superuser.com/questions/882957/how-to-make-sure-that-repositories-added-to-linux-mint-are-safe-and-secure https://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php Duncan, I think you're trashing a distro based on what happened in 17.3 from overseas. the smart thing is to checksum the download. There are a few articles above that talk about this. and there are two sets that verify the downloads now. So, in fairness, I believe Mint isn't any different than Ubuntu or Debian. Don't forget Debian was vulned a while back too. All of these come from the same place and some of these repos are interchangeable. I think your subjective ideas are simply out of date and wrong now. (P.S., there are more links to prove what I am saying here) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torproject package repository
Hi Joe, Joe Btfsplk: Looking at https://www.torproject.org/docs/debian.html.en, it mentions the repository deb http://deb.torproject.org/torproject.org main. Where distribution is the code name of the distro. Is the only package from this repo Tor itself and not Tor Browser? If it does host Tor Browser, would the package also work for Mint 18.1 Serena? Tor Browser is not hosted in the Tor Project's deb repositories because there are concerns that people would not update their browser when a new version is released - Tor Browser basically has automatic updates already (in that it puts a scary warning when you start it up and it detects that it is out of date) so the concern is that people don't refresh their Debian repository as often as would be necessary to get crucial updates to Tor Browser. However, the Torproject repo is / was already entered under "additional repositories" in my software manager and the signing key. It must have been added by the distro, as I didn't know this torproject repo existed. For future reference, Mint is based on Ubuntu. Find out the corresponding version that Mint is basing on, and use the Tor Project's Deb repository for that (this is almost certainly how it has been configured). I don't know what Mint's policy is but I'd be very surprised if this was default. Maybe you added it and forgot about it at an earlier date. I suppose it's possible they have it listed under additional repositories for the sake of convenience for Mint's users. A word of warning I'd urge you to take heed of: Mint have had some severe security issues in the past, both in updating packages (by default they hold essential security updates such as to the kernel back for "stability") and issues on their server. In a nutshell, they have been running a large software project like amateurs and their servers were accordingly rooted. They had their servers compromised twice within the last two years, by means of outdated and ill-configured Wordpress plugins. Their forum contents, including user details and passwords, were compromised and put up for sale for a paltry sum on some dodgy website (if I remember the reporting at the time, this happened more than once); and downloads were replaced with malicious ISO images that included spyware. There is no evidence they changed their security practices, so it's reasonable to suggest that their servers are still compromised, or that it is so trivial to do so that it will happen again. I would recommend installing Debian or Ubuntu directly, as both these distributions have good security practices. But the only package that shows up in Mint's software manager is "torbrowser-launcher", maintained by Ubuntu Developers . I was curious if anyone used this torbrowser-launcher, or if Torproject devs would highly frown on it? Its description: "helps download & install torbrowser." Doesn't mention anything about it verifying TBB signature, which I always do. This is the description: "When you first launch Tor Browser Launcher, it will download TBB from https://www.torproject.org/ and extract it to ~/.local/share/torbrowser, and then execute it. Cache and configuration files will be stored in ~/.cache/torbrowser and ~/.config/torbrowser. Each subsequent execution after installation will simply launch the most recent TBB, which is updated using Tor Browser's own update feature. where TBB would be installed." Tor Browser Launcher is not produced by the Tor Project. It was in Debian Jessie (8, oldstable) in the contrib section, because, while distributing only free software, it downloads executable software that Debian does not build from source. It was removed from Debian Stretch (9, the new stable version) because it was difficult to maintain. The problems related to the way it does signature verification - it has a GPG keyring of the Tor Browser developers' keys, and then it verifies the signature against that. However, because of how it is designed, sometimes false positives occur when the keys of the Tor Browser developers change or are updated, and it will always print a scary warning that signature verification failed. See https://github.com/micahflee/torbrowser-launcher/issues/263 Best, Duncan -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] torproject package repository
Looking at https://www.torproject.org/docs/debian.html.en, it mentions the repository deb http://deb.torproject.org/torproject.org main. Where distribution is the code name of the distro. Is the only package from this repo Tor itself and not Tor Browser? If it does host Tor Browser, would the package also work for Mint 18.1 Serena? However, the Torproject repo is / was already entered under "additional repositories" in my software manager and the signing key. It must have been added by the distro, as I didn't know this torproject repo existed. But the only package that shows up in Mint's software manager is "torbrowser-launcher", maintained by Ubuntu Developers . I was curious if anyone used this torbrowser-launcher, or if Torproject devs would highly frown on it? Its description: "helps download & install torbrowser." Doesn't mention anything about it verifying TBB signature, which I always do. This is the description: "When you first launch Tor Browser Launcher, it will download TBB from https://www.torproject.org/ and extract it to ~/.local/share/torbrowser, and then execute it. Cache and configuration files will be stored in ~/.cache/torbrowser and ~/.config/torbrowser. Each subsequent execution after installation will simply launch the most recent TBB, which is updated using Tor Browser's own update feature. where TBB would be installed." -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
