[tbb-bugs] #27242 [Applications/Tor Browser]: hash-stable source tarball release of torbrowser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 21 15:23:34 UTC 2018

#27242: hash-stable source tarball release of torbrowser
     Reporter:  w3ICKRsTMaxPeO            |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 Could torbrowser please provide a source tarball release, which has a
 stable hash?

 The current releases are generated on-the-fly by git and a given release
 can have one hash today, but another hash tomorrow, even though it's the
 same release tarball.

 This poses a problem in any scenario where hash-verification of the source
 tarball is needed.

 Such is the case for instance with source-based GNU/Linux distros, like
 Gentoo. Package manager checks the hash of sources before building, for
 security and quality assurance reasons.

 The stability does not mean that the sources must be available for
 extremely long time. It's OK if they vanish, because Gentoo has a
 mirroring system in place. The only requirement is that a given source URL
 has a constant hash.

 Reference of a downstream bug:

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27242>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list