If we can go up to 1.7GB, then that's not a problem. There could also be a simple script setup to clone tbb-bin if GitHub does start to enforce the limit on our repo, or we could start looking at external sources. My ideal is that someone can just use "git clone" and have a working mirror, so I'd prefer for the script to be a backup plan.

Is tbb-bin currently updated by a script, or is everything done manually?


On Sun, May 4, 2014 at 1:52 AM, Griffin Boyce <griffin@cryptolab.net> wrote:
Should we loop in tor-talk on this? They might have some additional ideas =)


William Papper wrote:

We're now looking for suggestions on providing downloads for
censored countries.

  I've been working on this recently with Satori [1][2], and decided to mirror on AWS, Github, and Chrome Web Store. (that last one is a logistical nightmare and not recommended).[4]

  The reason is that these are places where there's a strong financial incentive for countries to not block them or MITM.  Doesn't mean that they won't wind up blocked or tampered with, but makes it less likely.  Both AWS and Github are also accessible in Iran and China.


1. Host the downloads directly on each mirror
While this would work, the combined size of all of the files is
greater than GitHub's 1GB limit per repository.

  I've talked to github about this -- specifically about distributing software -- and they said that it's a soft limit.  I have repositories that are ~2GB which are fine.  Might be better to divide into individual repos by language if you're concerned they might change their policies.


2. Use an external download mirror that is not torproject.org
Could we use something like Amazon S3 or Sourceforge?

  AWS s pretty straightforward, but I would not suggest Sourceforge due to their advertising policies.


3. Provide torrents to users in censored countries
This seems much more difficult to block, which is good. I couldn't
find any official TBB torrents, though.

  Potential problem[3] with this is that if an adversary becomes a seeder, they can tally IP addresses of people trying to get ahold of circumvention software.  Highly problematic for people who might get a knock at the door.  Also, not sure how likely it is that the torrent trackers would just get blocked.


4. Assume that the user is not living in a censored country

  Can you expand on this a bit?

best,
Griffin

[1] https://github.com/glamrock/satori
[2] https://chrome.google.com/webstore/detail/satori/oncomejlklhkbffpdhpmhldlfambmjlf
[3] https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013158.html
[4] So the process here is that one is distributing unlisted "apps" which are .crx files.  Within those compressed files are the TBB and a required manifest.json file.  That's pretty straightforward, and nigh-unblockable, but downloading a crx as a zip automatically is difficult for windows/mac (easy for linux). And there are currently 60 bundles total (30 for linux).  Making these could be scripted.  Every Google Chrome Developer account maxes out at 20 apps or extensions, so we'd still need to create/verify 2-3 accounts if we wanted full language support.  Like I said, logistical nightmare, but I do it for Arabic, Farsi, and Chinese because the tradeoffs are IMO worth it (and 6 is no big deal).

________________________________________________________________________
Tor Website Team coordination mailing-list

To unsubscribe or change other options, please visit:
https://lists.torproject.org/cgi-bin/mailman/listinfo/www-team