[tor-bugs] #7603 [Tor bundles/installation]: TBB makefile downloads deps unauthenticated

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Dec 1 16:19:37 UTC 2012


#7603: TBB makefile downloads deps unauthenticated
--------------------------------------+-------------------------------------
 Reporter:  cypherpunks               |          Owner:  erinn
     Type:  defect                    |         Status:  new  
 Priority:  major                     |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------
 Just noticed that the TBB build system does not authenticate the
 dependencies it downloads. Some of the URLs (in versions*.mk) are plain
 HTTP and FTP, but even for HTTPS, wget is called with --no-check-
 certificate. And I don't see any verification of checksums or signatures
 going on here.

 Is the TBB build somehow decentralized and redundant, like the Bitcoin
 people do it, so that this doesn't matter?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7603>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list