Jacob Appelbaum:
Do you plan to download TBB over Tor that is provided by the system, say by adding a dependency on a system Tor?
There has been a bit discussion about this in https://trac.torproject.org/projects/tor/ticket/5236 already. (Search for "over Tor" to quickly navigate it it.)
I think downloading over Tor is desirable, but very difficult to implement.
What about bridge users? They have to edit a system wide torrc and the TBB torrc?
What about users who don't want to ever connect to the public Tor network? -> https://trac.torproject.org/projects/tor/ticket/7197
A MITM may be able to replay an old valid signature for a package, does your code handle that case?
I am not Micah, but I don't know how he could. I think the Tor Project would have to finish Thandy for that purpose.
You may enjoy the paper and code on theupdateframework.com to look into those kinds of issues...
Yes, it's really good.
They also gave me a link to https://github.com/akonst/tuf (see docs folder).