#28942: Evaluate pion WebRTC --------------------------------------------+------------------------------ Reporter: backkem | Owner: cohosh Type: enhancement | Status: accepted Priority: Medium | Milestone: Component: Circumvention/Snowflake | Version: Severity: Normal | Resolution: Keywords: anti-censorship-roadmap-august | Actual Points: Parent ID: | Points: 5 Reviewer: | Sponsor: | Sponsor28-must --------------------------------------------+------------------------------
Comment (by dcf): Replying to [comment:46 cohosh]: > I think the easiest way to go forward here is to take boklm's suggestion in https://trac.torproject.org/projects/tor/ticket/28325#comment:5 and just package up the directory supplied by `go mod vendor`. I've attached a zip file of working dependencies in `vendor.zip` above. Downloading a premade vendor.zip is a workable idea, but it does reduce the reproducible build's resistance to targeted attacks somewhat. To plant a backdoor in vendor.zip, an attacker would only have to subvert the computer of the developer that produces it (or the small number of developers who produce it and compare their copies with each other's). Once the vendor.zip is "blessed" with a checksum in a build script, no further builds will have a chance to detect the subterfuge. Maybe we could run the `go mod vendor` step in a `steps: fetch_sources:` step in projects /pion-webrtc/config instead? Compare [https://gitweb.torproject.org/user/dcf/tor-browser- build.git/tree/projects/webrtc/config?h=pion- webrtc&id=e7de4df2662b682acbd6937850584e65905e7a5e#n71 how it was done for webrtc]: projects/webrtc/config has a custom `fetch_sources` script that outputs a webrtc-sources-XXX.tar.gz, which is then [https://gitweb.torproject.org/user/dcf/tor-browser- build.git/tree/projects/webrtc/config?h=pion- webrtc&id=e7de4df2662b682acbd6937850584e65905e7a5e#n71 used] by projects/webrtc/build. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28942#comment:48> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs