[tor-talk] torproject package repository

Duncan dguthrie at posteo.net
Thu Aug 10 12:51:19 UTC 2017


Hi Joe,

Joe Btfsplk:
> Looking at https://www.torproject.org/docs/debian.html.en, it mentions
> the repository deb http://deb.torproject.org/torproject.org
> <DISTRIBUTION> main.
> Where distribution is the code name of the distro.
> Is the only package from this repo Tor itself and not Tor Browser? If
> it does host Tor Browser, would the package also work for Mint 18.1
> Serena?
> 

Tor Browser is not hosted in the Tor Project's deb repositories because 
there are concerns that people would not update their browser when a new 
version is released - Tor Browser basically has automatic updates 
already (in that it puts a scary warning when you start it up and it 
detects that it is out of date) so the concern is that people don't 
refresh their Debian repository as often as would be necessary to get 
crucial updates to Tor Browser.

> However, the Torproject repo is / was already entered under
> "additional repositories" in my software manager and the signing key.
> It must have been added by the distro, as I didn't know this
> torproject repo existed.
> 

For future reference, Mint is based on Ubuntu. Find out the 
corresponding version that Mint is basing on, and use the Tor Project's 
Deb repository for that (this is almost certainly how it has been 
configured). I don't know what Mint's policy is but I'd be very 
surprised if this was default. Maybe you added it and forgot about it at 
an earlier date. I suppose it's possible they have it listed under 
additional repositories for the sake of convenience for Mint's users.

A word of warning I'd urge you to take heed of: Mint have had some 
severe security issues in the past, both in updating packages (by 
default they hold essential security updates such as to the kernel back 
for "stability") and issues on their server. In a nutshell, they have 
been running a large software project like amateurs and their servers 
were accordingly rooted.
They had their servers compromised twice within the last two years, by 
means of outdated and ill-configured Wordpress plugins. Their forum 
contents, including user details and passwords, were compromised and put 
up for sale for a paltry sum on some dodgy website (if I remember the 
reporting at the time, this happened more than once); and downloads were 
replaced with malicious ISO images that included spyware.
There is no evidence they changed their security practices, so it's 
reasonable to suggest that their servers are still compromised, or that 
it is so trivial to do so that it will happen again. I would recommend 
installing Debian or Ubuntu directly, as both these distributions have 
good security practices.

> But the only package that shows up in Mint's software manager is
> "torbrowser-launcher", maintained by Ubuntu Developers
> <ubuntu-devel-discuss at lists.ubuntu.com>.
> I was curious if anyone used this torbrowser-launcher, or if
> Torproject devs would highly frown on it?
> 
> Its description:  "helps download & install torbrowser." Doesn't
> mention anything about it verifying TBB signature, which I always do.
> 
> This is the description:
> 
> "When you first launch Tor Browser Launcher, it will download TBB from
> https://www.torproject.org/ and extract it to 
> ~/.local/share/torbrowser,
> and then execute it.
> Cache and configuration files will be stored in ~/.cache/torbrowser and
> ~/.config/torbrowser.
> Each subsequent execution after installation will simply launch the 
> most
> recent TBB, which is updated using Tor Browser's own update feature.
> where TBB would be installed."

Tor Browser Launcher is not produced by the Tor Project. It was in 
Debian Jessie (8, oldstable) in the contrib section, because, while 
distributing only free software, it downloads executable software that 
Debian does not build from source. It was removed from Debian Stretch 
(9, the new stable version) because it was difficult to maintain.
The problems related to the way it does signature verification - it has 
a GPG keyring of the Tor Browser developers' keys, and then it verifies 
the signature against that. However, because of how it is designed, 
sometimes false positives occur when the keys of the Tor Browser 
developers change or are updated, and it will always print a scary 
warning that signature verification failed.

See https://github.com/micahflee/torbrowser-launcher/issues/263

Best,
Duncan


More information about the tor-talk mailing list