[tor-talk] torproject package repository

Thu Aug 10 21:55:16 UTC 2017

With the exception that their servers are likely to still be rooted.

James:
> Duncan:
> 
>> 
>> For future reference, Mint is based on Ubuntu. Find out the
>> corresponding version that Mint is basing on, and use the Tor 
>> Project's
>> Deb repository for that (this is almost certainly how it has been
>> configured). I don't know what Mint's policy is but I'd be very
>> surprised if this was default. Maybe you added it and forgot about it 
>> at
>> an earlier date. I suppose it's possible they have it listed under
>> additional repositories for the sake of convenience for Mint's users.
>> 
>> A word of warning I'd urge you to take heed of: Mint have had some
>> severe security issues in the past, both in updating packages (by
>> default they hold essential security updates such as to the kernel 
>> back
>> for "stability") and issues on their server. In a nutshell, they have
>> been running a large software project like amateurs and their servers
>> were accordingly rooted.
>> They had their servers compromised twice within the last two years, by
>> means of outdated and ill-configured Wordpress plugins. Their forum
>> contents, including user details and passwords, were compromised and 
>> put
>> up for sale for a paltry sum on some dodgy website (if I remember the
>> reporting at the time, this happened more than once); and downloads 
>> were
>> replaced with malicious ISO images that included spyware.
>> There is no evidence they changed their security practices, so it's
>> reasonable to suggest that their servers are still compromised, or 
>> that
>> it is so trivial to do so that it will happen again. I would recommend
>> installing Debian or Ubuntu directly, as both these distributions have
>> good security practices.
>> 
>>> But the only package that shows up in Mint's software manager is
>>> "torbrowser-launcher", maintained by Ubuntu Developers
>>> <ubuntu-devel-discuss at lists.ubuntu.com>.
>>> I was curious if anyone used this torbrowser-launcher, or if
>>> Torproject devs would highly frown on it?
>>> 
>>> Its description:  "helps download & install torbrowser." Doesn't
>>> mention anything about it verifying TBB signature, which I always do.
>>> 
> 
>> Best,
>> Duncan
> http://www.infoworld.com/article/3182824/linux/is-linux-mint-a-secure-distribution.html
> 
> https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/
> 
> https://superuser.com/questions/882957/how-to-make-sure-that-repositories-added-to-linux-mint-are-safe-and-secure
> 
> https://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php
> 
> Duncan, I think you're trashing a distro based on what happened in 17.3
> from overseas. the smart thing is to checksum the download. There are a
> few articles above that talk about this. and there are two sets that
> verify the downloads now. So, in fairness, I believe Mint isn't any
> different than Ubuntu or Debian. Don't forget Debian was vulned a while
> back too. All of these come from the same place and some of these repos
> are interchangeable. I think your subjective ideas are simply out of
> date and wrong now. (P.S., there are more links to prove what I am
> saying here)