[tor-dev] Leif's important piece on update golden keys
spencerone at openmailbox.org
Mon Mar 7 16:11:00 UTC 2016
>> Holger Levsen:
>> https://reproducible-builds.org and
> Nathan Freitas:
However, even though reproducible-builds seems to address the manual install as well, which is good, I read the problem as being the actual backdoor of auto-update.
Since my Dad will not be able to make this verification, removing auto-update from the package is the only real resolution here.
Besides, given the broken/missing auto-update opt-out in packages like OrFox, it is difficult to trust the developers, since it is the user who defines "malicious".
More information about the tor-dev