[tor-bugs] #7989 [Website]: revise OS X relay instructions

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jan 27 21:46:57 UTC 2013


#7989: revise OS X relay instructions
---------------------+------------------------------------------------------
 Reporter:  phobos   |          Owner:              
     Type:  defect   |         Status:  needs_review
 Priority:  normal   |      Milestone:              
Component:  Website  |        Version:              
 Keywords:           |         Parent:              
   Points:           |   Actualpoints:              
---------------------+------------------------------------------------------

Comment(by arfarf):

 I have a few concerns with steps 1 and 2, and usage of Homebrew in
 general.

 Step 1:

 {{{
 ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"
 }}}

 This will insecurely (-k = no certificate checks) load code from Homebrew
 and send it to the ruby interpreter. This is how Homebrew advertises their
 install method, but it isn't secure in the slightest. I'm not aware any
 reasonably secure way to bootstap Homebrew, as it wasn't designed with
 security in mind.

 {{{
 brew install tor
 }}}

 The only verification done here will be a check of the MD5 checksum
 provided by brew. I suppose it may be possible to download the Tor
 tarball, confirm the signature with GPG, and move the tarball to the
 /Library/Caches directory before running the install command; however any
 minor mistakes in the process would just cause brew to download the
 source.

 A better solution may be packaging and signing a standalone Tor relay
 build, so that concerned end-users can verify GPG signatures.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7989#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list