[tor-bugs] #8289 [Tor bundles/installation]: check hashes of files we download against expected hash value
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 20 02:33:50 UTC 2013
#8289: check hashes of files we download against expected hash value
--------------------------------------+-------------------------------------
Reporter: ioerror | Owner: erinn
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent: #8288
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Per #8283, we need to check the hash of each file we download against the
expected value. This should ensure that we never build without explicitly
approving each new version _and_ a hash for each new version. It will also
ensure that when an attacker tampers with the file on the remote server,
we will not attempt to build likely hostile source bundles or load hostile
extensions.
I think I'll just write a simple macro to check all of the hashes after
all the downloads complete. Does that seem like a reasonable approach?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8289>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list