ilv wrote:
With this in mind, we have been discussing about the idea of having a signed and verified distributor app (desktop), available on official channels (OSX app store, Google Chrome store, etc), which could ease the process of downloading and verifying the integrity of Tor Browser. In other words, a user should be able to download and make sure it has the right file with just a few clicks.
While I don't necessarily want to discourage you from working on GetTor, it's worth noting the duplicated effort in terms of distribution apps. My primary project makes downloading Tor (and other privacy software) from un-censored sources easy, verifying sha256 hashes easy, along with distributing tutorials and bridges [1][2].
The project is called Satori -- it's under heavy development, but has traction, particularly in Iran and China [3]. Satori comes partly from the fact that I don't scale -- 1-to-1 distribution is important but takes a lot of time and a handful of trainers can't help everyone. So I can write applications and increase my positive impact (particularly once guides are included and translations are finished). Downloads are via accessible CDNs and torrents.
To answer your questions: 1) distributors are important IMO (see above). 2) I've always liked the idea of email autoresponders for software, but as the size of the Tor Browser increases, I'm not sure how viable it will be. It may be worthwhile to experiment with sending unblocked CDN links and torrent files. 3) I considered an API but don't think it would work as it just recreates the single point of failure that one is trying to avoid with this kind of project. At least for me, the focus on CDN and bittorrent-based software distribution make the most sense.
best, Griffin
[1] http://imgur.com/a/EIR80 [2] https://github.com/glamrock/satori [3] [the Chrome version's been out for more than a year]