Nima: > Sherief Alaa: >> But this is all an endless chain because lets say I download TBB, then >> download gpg to verify it but then how do I make sure that gpg it self >> wasn't tampered with? (assuming I don't have it installed already.) > > Indeed that's an endless chain and turtles all the way down. plus (as > you already mentioned) you also need to install gpg for osx and windows;
Yes. > Which in windows case there's absolutely no secure way to download pgp > itself. I agree. (There is at least a more secure than no security at all way to obtain it.) [tor-talk] Getting a GnuPG version for Windows in a secure way https://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html > Poor windows users are screwed by *design* > > That being said, I totally support making this process easier. In fact, > I dream a day where TBB could itself (or TorButton perhaps) check and > see if all of it's executable files are identical to the latest version > on repository in a secure way without confusing (or even say noticing) > the average user. > > Maybe this can be part of the auto-update project? This wouldn't solve how users could safely obtain it in the first place. Having the auto-updater working is a separate issue worth solving. > But whatever it is, it can't be a simple tiny app. I totally agreed with that in a separate mail. _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
