[tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Roman Mamedov
rm at romanrm.net
Sun Sep 8 07:56:09 UTC 2019
On Sat, 7 Sep 2019 20:20:06 +1000
teor <teor at riseup.net> wrote:
> > As with adding any third-party repository, it means trusting the repository
> > provider to install and run any root-privilege code on the machine. In case
> > the repository server (or actually the release process, including signing) is
> > compromised, on the next update it can serve malicious or backdoored versions
> > of the software. So naturally from the security standpoint it is beneficial to
> > add (and trust) as few repositories as possible, just to reduce the "attack
> > surface".
>
> So one thing Tor could do here is run easily and securely without root?
This will not address the concern, because AFAIK in Debian the package
management scripts (contained inside the .deb's DEBIAN dir: preinst, postinst,
prerm and postrm) always run with root privileges on package addition or
removal.
--
With respect,
Roman
More information about the tor-relays
mailing list