[tor-bugs] #7603 [Tor bundles/installation]: TBB makefile downloads deps unauthenticated
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 1 16:19:37 UTC 2012
#7603: TBB makefile downloads deps unauthenticated
--------------------------------------+-------------------------------------
Reporter: cypherpunks | Owner: erinn
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Just noticed that the TBB build system does not authenticate the
dependencies it downloads. Some of the URLs (in versions*.mk) are plain
HTTP and FTP, but even for HTTPS, wget is called with --no-check-
certificate. And I don't see any verification of checksums or signatures
going on here.
Is the TBB build somehow decentralized and redundant, like the Bitcoin
people do it, so that this doesn't matter?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7603>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list