[tor-dev] TUF Repository for Tor Browser

carlo von lynX lynX at time.to.get.psyced.org
Fri Jun 10 16:01:46 UTC 2016

On Fri, Jun 10, 2016 at 04:22:04PM +0200, bancfc at openmailbox.org wrote:
> In light of the technical obstacles that prevent packaging Tor
> Browser (see below), I propose operating a repository that relies on
> The Update Framework (TUF) [0]. TUF is a secure updater system
> designed to resist many classes of attacks [1]. Its based on Thandy
> (the work of Roger, Nick, Sebastian and others).

The README sounds good, but it being implemented in python adds quite
a heavy additional dependency. Isn't the same achievable by means of
a git library, using signed git commits and additional consistency
checks (git fsck or something). This should only allow for updates
which are forward in time and signed by the correct authors.
Additionally you could check(sum) the commit times, thus ensuring
that an update didn't get intentionally cut-off at last month's
insecure version. This would address most of the points you list in

Additionally, if git is only used for the metadata, leaving to the user
to decide when to download or torrent a certain new hashed version, then
it can provide daily or weekly keep-alive commits, making it hard for
an attacker to usurp the rare condition by which a torbrowser that has
not been used for months needs updates and could be lured into fetching
an insecure version. Maybe the git library needs to be hardened regarding
"endless data" and "slow retrieval" attacks, which would then be
something any git user would appreciate.

I personally am not affected by the debian issues. Since I
never understood why it should make sense to trust the debian
build process I happily enjoy MeisterP's excellent torbrowser
overlay for Gentoo. I even get to configure it so that it uses
my Tor router rather than any embedded one.

  E-mail is public! Talk to me in private using encryption:

More information about the tor-dev mailing list