[tor-bugs] #6824 [Torouter]: Torrouter Update Mechanism

[Tor Bug Tracker & Wiki]

#6824: Torrouter Update Mechanism
----------------------+-----------------------------------------------------
 Reporter:  proper    |          Owner:  ioerror
     Type:  task      |         Status:  new    
 Priority:  normal    |      Milestone:         
Component:  Torouter  |        Version:         
 Keywords:            |         Parent:         
   Points:            |   Actualpoints:         
----------------------+-----------------------------------------------------
Changes (by ficus):

 * cc: ficus@… (added)


Comment:

 What is tpo?

 I think following debian security updates plus having buttons in the web
 interface to do full system upgrades (or dist-upgrades) is a good place to
 start. Users should definitely be able to opt-out of any automatic updates
 at all. I'm wary of engineering or over-thinking a complex solution to
 this concern at this point. Delaying automatic updates to once a week
 (random day of week) might be a good balance between timeliness of updates
 and robustness against sudden failure (assuming it takes ~24 hours to
 catch a problem with changes).

 An update-from-usb-stick-at-boot mechanism is a good recovery mechanism,
 but requires a non-reset button that could be held during boot (or perhaps
 just a more sophisticated bootloader).

 Some router distributions (pfSense) use a frame-buffer-like update
 mechanism so changes can be reverted to last-known-good in case there are
 problems after an update.

 Should all updates be fetched through Tor? What if Tor is unavailable
 because updates are required to connect to the network? I guess deciding
 that would require threat modeling.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6824#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online