[Tor www-team] Suggestions for Mirrors in Censored Countries

Sun May 4 21:46:24 UTC 2014

If we can go up to 1.7GB, then that's not a problem. There could also be a
simple script setup to clone tbb-bin
<https://github.com/glamrock/tbb-bin>if GitHub does start to enforce
the limit on our repo, or we could start
looking at external sources. My ideal is that someone can just use "git
clone" and have a working mirror, so I'd prefer for the script to be a
backup plan.

Is tbb-bin currently updated by a script, or is everything done manually?

On Sun, May 4, 2014 at 1:52 AM, Griffin Boyce <griffin at cryptolab.net> wrote:

> Should we loop in tor-talk on this? They might have some additional ideas
> =)
>
>
> William Papper wrote:
>
>  We're now looking for suggestions on providing downloads for
>> censored countries.
>>
>
>   I've been working on this recently with Satori [1][2], and decided to
> mirror on AWS, Github, and Chrome Web Store. (that last one is a logistical
> nightmare and not recommended).[4]
>
>   The reason is that these are places where there's a strong financial
> incentive for countries to not block them or MITM.  Doesn't mean that they
> won't wind up blocked or tampered with, but makes it less likely.  Both AWS
> and Github are also accessible in Iran and China.
>
>
>  1. Host the downloads directly on each mirror
>> While this would work, the combined size of all of the files is
>> greater than GitHub's 1GB limit per repository.
>>
>
>   I've talked to github about this -- specifically about distributing
> software -- and they said that it's a soft limit.  I have repositories that
> are ~2GB which are fine.  Might be better to divide into individual repos
> by language if you're concerned they might change their policies.
>
>
>  2. Use an external download mirror that is not torproject.org
>> Could we use something like Amazon S3 or Sourceforge?
>>
>
>   AWS s pretty straightforward, but I would not suggest Sourceforge due to
> their advertising policies.
>
>
>  3. Provide torrents to users in censored countries
>> This seems much more difficult to block, which is good. I couldn't
>> find any official TBB torrents, though.
>>
>
>   Potential problem[3] with this is that if an adversary becomes a seeder,
> they can tally IP addresses of people trying to get ahold of circumvention
> software.  Highly problematic for people who might get a knock at the door.
>  Also, not sure how likely it is that the torrent trackers would just get
> blocked.
>
>
>  4. Assume that the user is not living in a censored country
>>
>
>   Can you expand on this a bit?
>
> best,
> Griffin
>
> [1] https://github.com/glamrock/satori
> [2] https://chrome.google.com/webstore/detail/satori/
> oncomejlklhkbffpdhpmhldlfambmjlf
> [3] https://mailman.stanford.edu/pipermail/liberationtech/2014-
> March/013158.html
> [4] So the process here is that one is distributing unlisted "apps" which
> are .crx files.  Within those compressed files are the TBB and a required
> manifest.json file.  That's pretty straightforward, and nigh-unblockable,
> but downloading a crx as a zip automatically is difficult for windows/mac
> (easy for linux). And there are currently 60 bundles total (30 for linux).
>  Making these could be scripted.  Every Google Chrome Developer account
> maxes out at 20 apps or extensions, so we'd still need to create/verify 2-3
> accounts if we wanted full language support.  Like I said, logistical
> nightmare, but I do it for Arabic, Farsi, and Chinese because the tradeoffs
> are IMO worth it (and 6 is no big deal).
>
> ________________________________________________________________________
> Tor Website Team coordination mailing-list
>
> To unsubscribe or change other options, please visit:
> https://lists.torproject.org/cgi-bin/mailman/listinfo/www-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/www-team/attachments/20140504/d3184357/attachment.html>