[tor-dev] Leif's important piece on update golden keys

Spencer spencerone at openmailbox.org
Mon Mar 7 16:11:00 UTC 2016


>> Holger Levsen:
>> https://reproducible-builds.org and 
>> https://reproducible.debian.net 


> Nathan Freitas:
> https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds


However, even though reproducible-builds seems to address the manual install as well, which is good, I read the problem as being the actual backdoor of auto-update.

Since my Dad will not be able to make this verification, removing auto-update from the package is the only real resolution here.

Besides, given the broken/missing auto-update opt-out in packages like OrFox, it is difficult to trust the developers, since it is the user who defines "malicious".


More information about the tor-dev mailing list