[tor-dev] Proposal: Check Maxmind GeoIP DB before distributing

Iain Learmonth irl at torproject.org
Sun Jul 1 14:54:11 UTC 2018


On 30/06/18 12:53, Jaskaran Singh wrote:
> 0. Motivation and Overview
> We're using Maxmind's (company registered in the US) GeoIP Database,
> which is not just antithetical to the philosophy that one should not
> totally rely on a service/software for all needs, but has some serious
> security repercussions too.

I would love to see a full list of all the places we currently use this
database and what security consequences could be.

Relevant tickets to this discussion that you may want to read have the
keyword "metrics-geoip" in trac.

Also, you may be interested in karsten's comment on #22203 where we talk
about downloading signed GeoIP files from the dirauths instead of
shipping them in the distribution.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20180701/d7c75110/attachment.sig>

More information about the tor-dev mailing list