Version checking (was Re: 25 tbreg relays in directory)

Scott Bennett bennett at cs.niu.edu
Wed Apr 29 10:49:49 UTC 2009 

     On Wed, 29 Apr 2009 03:13:52 -0700 (PDT) Tripple Moon
<tripple.moon at yahoo.com> wrote:
>first off, please only reply to the mailing-list address otherwise ppl like me are getting your messages double, just like you will get now...
>
     My apologies.  You did request that before, and I simply forgot.
It is accepted courtesy on most mailing lists to address a followup
both to the list and to the author of the article(s) being followed up.
When someone asks me to deviate from that standard, I am happy to
oblige, but just made a mistake in this case.  I will try to remember
better in the future.
>
>--- On Tue, 4/28/09, Scott Bennett <bennett at cs.niu.edu> wrote:
>[cut for clarity]
>>      Laying aside for the moment the matter of how the rest
>> of the tor nodes
>> should determine the trustworthiness/credibility of the tor
>> instance making
>> the announcement or even why the tor network, either as a
>> "whole" or as
>> individual nodes, should care about the integrity of a
>> client (!), how to you
>> propose to calculate a verification digest--a CRC would not
>> likely be
>> considered adequately reliable--based upon the executable
>> binary of software
>> that
>> 	a) comes in many successive version,
>> 
>> 	b) can be compiled for many hardware architectures, not
>> all of which
>> 	are necessarily known to the developers,
>> 
>> 	c) can be compiled for many operating systems, not all of
>> which are
>> 	necessarily known to the developers, and
>> 
>> 	d) can be compiled by untold numbers of versions of many
>> compilers,
>> 	not all of which are necessarily known to the developers?
>All of the above can be waifed void, when those versions are announced on the mailing list.

     "Waifed"?  What language are you borrowing that from?  And what does
it mean?  "Waif" in English is a noun having a meaning that bears no
obvious connection to this discussion.
     Hmm...on the off-chance that you intended to type "waived", I think I
can see an intended meaning, although the use of the word is still incorrect
in this context.  Please keep in mind that tor is distributed in a number
of forms, one of which is source code that can be compiled on any version
of any system with a compatible C compiler and required libraries.  I
frankly doubt that anyone on this list or on the development team could
come up with the definitive, comprehensive list of such systems.
     An item I missed when writing the list above is that the required
libraries, which are independent of the tor project, of course, also
come in a wide variety of versions, architectures, and operating system
implementations and may have been compiled under a variety of different
C compilers and versions.
     If my speculation about your intended meaning is correct, then on the
face of it, your suggestion is outlandish.
>> 
>> >IMHO, this kind of "login procedure to enter the
>> tor-network" will make it more secure and manageable.
>> 
>>      More secure and manageable for whom??  Big Brother? 
>> Obviously not for
>> the supposedly anonymous tor user...jeesh.
>Ofcourse not silly....
>- More secure for the "anonymous tor user" because he will be forced to upgrade its client to stay connected to the tor-network, if (s)he doesn't upgrade his/her insecure client (s)he will be denied by other tor's to the network.

     While simultaneously adding to his/her risk of breached anonymity?
While offering him/her no anonymity at all in obtaining an up-to-date version?
While still allowing, as another writer has pointed out (sorry, I've deleted
the message and have forgotten who wrote it) already, a tampered client to
send an unaltered copy for checking?

>- More manageable for the tor development team, because they will know exactly which versions are being used by current users of the tor program.

     The tor development team probably doesn't need to know that.  They
already make tor available in forms compatible with the most common systems,
while providing source code for those who need/want to make it work on their
own systems.  For example, tor is available in precompiled bundles for
Micro$lop Windows systems and Mac OS X systems.  It is also available in
forms for easy installation onto several kinds of LINUX systems.  For UNIX
systems other than Mac OS X, it is necessary to download the source and
compile it.  That includes *BSD systems, Solaris systems, and so on.
     I think you really need to spend more time thinking about the
ramifications of what you suggest before posting them.
>> 
>> >Again, i have _no_ idea at present how the tor program
>> handles things at present, so if its already done like that
>> or even better just disregard what i wrote :D
>> >
>>      It doesn't, and it shouldn't.

     In case it is unclear to the casual reader, my statement above was
in reference to any sort of verification of clients any other part of the
tor network.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-talk mailing list