[tor-bugs] #8286 [Tor bundles/installation]: Fetch software during TBB build process only over trusted HTTPS
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 20 01:42:43 UTC 2013
#8286: Fetch software during TBB build process only over trusted HTTPS
--------------------------------------+-------------------------------------
Reporter: ioerror | Owner: erinn
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Currently, we fetch software using wget and we do so with all certificate
checking disabled. I believe we should have a mirror of all the source
code that we expect people to download and we should offer it over HTTPS.
I've put up such a mirror here as a proof of concept:
https://people.torproject.org/~ioerror/src/mirrors/
I'll attach some patches to help ensure that we allow wget to verify the
HTTPS cert and to ensure that we use the secure mirror.
Later, we can find a location for a mirror that is more permanent as this
improves the security of the build process tremendously. It also improves
the reliability as some of the download sites are extremely slow or use
protocols that are prone to censorship. :(
Thoughts?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8286>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list