On Thu, Oct 3, 2013 at 12:24 PM, CodesInChaos <[email protected]> wrote: > ... > I don't think disabling auto-update is a good idea. What we need is secure > auto update.
agreed. > This involves: > 1) requiring multiple signatures on the update by people in different > jurisdictions > 2) Reproducible builds > 3) A Certificate Transparency like log of all updates. > > I believe TOR is doing some work on points 1) and 2). there are additional concerns regarding the implementation of updates and key management for the updates as well. see: http://www.cs.arizona.edu/stork/ http://www.cs.arizona.edu/stork/packagemanagersecurity/papers.html https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy
