adrelanos: > Jacob Appelbaum: >> Do you plan to download TBB over Tor that is provided by the system, say >> by adding a dependency on a system Tor? > > There has been a bit discussion about this in > https://trac.torproject.org/projects/tor/ticket/5236 already. (Search > for "over Tor" to quickly navigate it it.) >
I've seen the ticket. > I think downloading over Tor is desirable, but very difficult to implement. > It is as easy as adding a `depends: tor` line to the debian/control file. In modern Debian or recent Ubuntus, it is fine. > What about bridge users? They have to edit a system wide torrc and the > TBB torrc? > You're over thinking it. Connecting to the Tor Project website often fails - far more than the Tor network being blocked. > What about users who don't want to ever connect to the public Tor > network? -> https://trac.torproject.org/projects/tor/ticket/7197 > Such users have a valid concern but I hardly think that this package is for such users - as it stands right now, that problem is made worse by both connecting to Tor's website *and* the public network. >> A MITM may be able >> to replay an old valid signature for a package, does your code handle >> that case? > > I am not Micah, but I don't know how he could. I think the Tor Project > would have to finish Thandy for that purpose. > It is easy - never allow a valid signature with a lesser version number. >> You may enjoy the paper and code on theupdateframework.com to >> look into those kinds of issues... > > Yes, it's really good. > > They also gave me a link to https://github.com/akonst/tuf (see docs folder). Neat. All the best, Jacob _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
