[tor-dev] TUF Repository for Tor Browser

bancfc at openmailbox.org bancfc at openmailbox.org
Fri Jun 10 14:22:04 UTC 2016

In light of the technical obstacles that prevent packaging Tor Browser 
(see below), I propose operating a repository that relies on The Update 
Framework (TUF) [0]. TUF is a secure updater system designed to resist 
many classes of attacks [1]. Its based on Thandy (the work of Roger, 
Nick, Sebastian and others).

The advantage of this proposal is that (Tor based distros and others in 
general) can finally retire the TBB downloaders and shed the maintenance 
burden. Also there is no need to re-invent secure download mechanisms 
when there is a project that already covers this.


Rehash of previous discussions on the topic:

The major reasons why TBB is not in the Debian repository:

* The reproducible build system depends on a static binary image of 
(then Ubuntu) which runs counter to Debian policy.

* TBB is based on Firefox ESR and not Iceweasel which also runs into the 
"no duplicate source  package" policy of Debian.

Reasons for unavailability of TBB .deb in the Tor Project APT 

* The break neck speed of development

* Its not easily packaged and the amount of effort needed is better 
spent otherwise.


[0] https://theupdateframework.github.io/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md

More information about the tor-dev mailing list