On Fri, Jun 10, 2016 at 04:22:04PM +0200, bancfc@openmailbox.org wrote:
In light of the technical obstacles that prevent packaging Tor Browser (see below), I propose operating a repository that relies on The Update Framework (TUF) [0]. TUF is a secure updater system designed to resist many classes of attacks [1]. Its based on Thandy (the work of Roger, Nick, Sebastian and others).
The README sounds good, but it being implemented in python adds quite a heavy additional dependency. Isn't the same achievable by means of a git library, using signed git commits and additional consistency checks (git fsck or something). This should only allow for updates which are forward in time and signed by the correct authors. Additionally you could check(sum) the commit times, thus ensuring that an update didn't get intentionally cut-off at last month's insecure version. This would address most of the points you list in https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt
Additionally, if git is only used for the metadata, leaving to the user to decide when to download or torrent a certain new hashed version, then it can provide daily or weekly keep-alive commits, making it hard for an attacker to usurp the rare condition by which a torbrowser that has not been used for months needs updates and could be lured into fetching an insecure version. Maybe the git library needs to be hardened regarding "endless data" and "slow retrieval" attacks, which would then be something any git user would appreciate.
I personally am not affected by the debian issues. Since I never understood why it should make sense to trust the debian build process I happily enjoy MeisterP's excellent torbrowser overlay for Gentoo. I even get to configure it so that it uses my Tor router rather than any embedded one.