[tor-bugs] #8542 [GetTor]: More options on how to get the bundles
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 22 03:46:22 UTC 2014
#8542: More options on how to get the bundles
-----------------------------+-----------------
Reporter: mrphs | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: GetTor | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+-----------------
Comment (by mrphs):
For the sake of having public record, as requested by sukhbir and phobos,
I'm going to copy/paste my reply from a non-public thread to here.
===============
> > When I played with !GetTor, and tried to make it send via Gmail, I
registered [redacted] a.t gmail. I don't think the username really
matters, as it does not show up in the URLs, does it?
> It should not matter and this should be fine. Are you OK with sharing
the details of this account? If yes, please pass them on to me, CCing Nima
and anyone else who would like to have access to the account.
we should be super cautious about these accounts. as if someone would be
able to get a hold of them or recover any of them, would be able to send
malicious software to a huge number of users. And please have it in mind
we made this dropbox account just for test. I don't know how we keep
credentials at Tor Project. Maybe weasel or phobos can help us here?
> > You still send out 5 or something links pointing to direct mirrors, do
you? At least you should.
> No because I have been told that those mirrors no longer work. If this
information is incorrect, please point me to the mirrors and I will update
the message.
in an ideal situation, we should provide options for users on how they
would like to download the bundles. and we should do it in our first
(welcome) email.
Options such as cloud links, zip file, mirrors, magnet, torrent, etc.
And yes, you're right that we should send out at least one mirror link
with every request. I say one as I believe we should keep it as minimal as
we can. we need room to teach them how to check sig and hash.
> I would like to see what the recent situation is? Because like Iran was
also blocking some websites but now the situation is different. Is China
actively blocking Gmail and Dropbox? If yes, then I am open to ideas for
newer services because right now our implementation supports only Gmail
and Dropbox. Of course this means you have to suggest some services which
have an API that we can make use of and that we can "trust" :)
I don't think if we necessarily need to ''/trust/'' any of these could
services. what we need to do is to make sure users always check the
signatures and sha256sum.
Google, dropbox and bunch of other western services are blocked in china
and I'm not sure if you remember, but I had this idea of ...
(bare with me, it may sound horrible but needs more discussion)
using Chinese cloud services (including but not limited to 'baidu'). I
even checked their API and there are some cool hacks which we can upload
our bundles to their cloud without them knowing where is it coming from.
well they probably can run a filter and check the hash, detect and drop
the file, but I have some ideas to get around that too. Anyways I mean,
we're brainstorming, right? plus, cloud is cloud. us, uk or chinese
services. what's the difference? I believe we should just take the
advantage of it. and teach our users how to make sure they got the right
piece of software.
PS: for the sake of record: one other thing we should keep it in mind is
to find a way to send out a new short-user-manual out with our emails. but
I'd leave it to another discussion.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8542#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list