[tor-bugs] #28682 [Core Tor]: Carml lacks PGP singatures and instructions for secure installation

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 2 07:55:53 UTC 2018 

#28682: Carml lacks PGP singatures and instructions for secure installation
--------------------+--------------------------
 Reporter:  wagon   |          Owner:  meejah
     Type:  defect  |         Status:  assigned
 Priority:  Medium  |      Component:  Core Tor
  Version:          |       Severity:  Normal
 Keywords:  carml   |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+--------------------------
 Meejah's carml isn't listed as officially supported by Tor Project, but
 meejah is somehow listed among Tor people and carml itself is officially
 [[https://blog.torproject.org/exploring-tor-carml|advertised]] in Tor
 blog. So, I suppose this ticket can be accepted here.

 == Problem 1: no signatures

 Correct me if I'm wrong. There are no PGP signatures of
 [[https://github.com/meejah/carml/releases|carml releases]] anywhere at
 [[https://carml.readthedocs.io/en/latest/releases.html|project pages]]
 (however, txtorcon library is signed).

 == Problem 2: no python3 docs

 [[https://carml.readthedocs.io/en/latest/installation.html|Documentation
 on installation]] is written for python2 instead of python3. However,
 support of python3 is claimed. In particular, there is no `virtualenv`
 command for python3, as `pyvenv` [[https://askubuntu.com/questions/279959
 /how-to-create-a-virtualenv-with-python3-3-in-ubuntu|is used]] instead.

 == Problem 3: no secure installation of carml dependencies

 `pip install <projectname>` with automatic download of all dependencies
 from repository, as recommended in documentation, should never be used in
 secure environments, because packages in this repository are not signed
 (even if they are signed, their signatures are not checked by default).
 Actually, some dependencies (probably, old versions) can be installed as
 standard Debian packages, but `pip` will not be able to see them by
 default (especially in `pyvenv` environment). There is only one way to
 install it securely:
 1. Download carml bunndle and its signature.
 2. Download bundles for **all** carml dependencies and their signatures.
 3. Verify signatures of all downloaded bundles manually (don't ask me what
 to do if somebody release his code without signatures).
 4. Disconnect from network.
 5. Install carml and its dependencies as `pip install /path/to/local-
 bundle`
 6. Create some symlinks, so carml can find all dependencies it needs.
 This is what I expect to see in documentation. For instance, for Nyx it
 was done
 [[https://trac.torproject.org/projects/tor/ticket/28332#comment:7|exactly
 so]] (but it has only one dependence, Stem):
 1. Download Nyx, its signature, and verify it.
 2. Download Stem, its signature, and verify it.
 3. Install Stem, install Nyx, create necessary symlink.
 As a workaround I'ld suggest to put all necessary dependencies in signed
 carml bundle, so users will not suffer during assembling of this
 constructor.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28682>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list