[tor-bugs] #28942 [Circumvention/Snowflake]: Evaluate pion WebRTC

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Aug 31 17:11:11 UTC 2019 

#28942: Evaluate pion WebRTC
--------------------------------------------+------------------------------
 Reporter:  backkem                         |          Owner:  cohosh
     Type:  enhancement                     |         Status:  accepted
 Priority:  Medium                          |      Milestone:
Component:  Circumvention/Snowflake         |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  anti-censorship-roadmap-august  |  Actual Points:
Parent ID:                                  |         Points:  5
 Reviewer:                                  |        Sponsor:
                                            |  Sponsor28-must
--------------------------------------------+------------------------------

Comment (by dcf):

 Replying to [comment:46 cohosh]:
 > I think the easiest way to go forward here is to take boklm's suggestion
 in https://trac.torproject.org/projects/tor/ticket/28325#comment:5 and
 just package up the directory supplied by `go mod vendor`. I've attached a
 zip file of working dependencies in `vendor.zip` above.

 Downloading a premade vendor.zip is a workable idea, but it does reduce
 the reproducible build's resistance to targeted attacks somewhat. To plant
 a backdoor in vendor.zip, an attacker would only have to subvert the
 computer of the developer that produces it (or the small number of
 developers who produce it and compare their copies with each other's).
 Once the vendor.zip is "blessed" with a checksum in a build script, no
 further builds will have a chance to detect the subterfuge. Maybe we could
 run the `go mod vendor` step in a `steps: fetch_sources:` step in projects
 /pion-webrtc/config instead? Compare
 [https://gitweb.torproject.org/user/dcf/tor-browser-
 build.git/tree/projects/webrtc/config?h=pion-
 webrtc&id=e7de4df2662b682acbd6937850584e65905e7a5e#n71 how it was done for
 webrtc]: projects/webrtc/config has a custom `fetch_sources` script that
 outputs a webrtc-sources-XXX.tar.gz, which is then
 [https://gitweb.torproject.org/user/dcf/tor-browser-
 build.git/tree/projects/webrtc/config?h=pion-
 webrtc&id=e7de4df2662b682acbd6937850584e65905e7a5e#n71 used] by
 projects/webrtc/build.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28942#comment:48>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list