Matthew Finkel schreef op 03/05/15 om 14:47:
On Sun, May 03, 2015 at 08:20:54PM +0000, Matthew Finkel wrote:
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions.
[0] https://www.torproject.org/getinvolved/tshirt
Thanks, Matt
Hi Matt,
How about :
* Primarily using ContactInfo for the verification * If you cannot match the ContactInfo, ask people to set it on their relays * If they are unwilling/unable to do so, ask them to sign their mail address using their secret Tor key * Implement a --sign option for Tor 0.2.7 * Starting a year from now, just ask everyone to sign the request
Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution.
Tom