Re: [Tails-dev] About the download and verification of test images
sajolida wrote (12 Jan 2016 15:47:16 GMT) : > The rational behind this is explained in e66558a. I think you rewrote, or didn't push, this commit. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
sajolida: > As part of our work on integrating the new installation assistant and > ISO verification extension in the rest of the website, we need to decide > how to advertise the download and verification of test ISO images as > these ones won't be available through the ISO verification extension > (the extension only allows downloading the latest official ISO image). > > Until now we were using buttons to the direct download of ISO images and > their signature. See for example > https://tails.boum.org/news/test_2.0-beta1/index.en.html. > > Something else to keep in mind while discussing this is that, for the > time being, I'm proposing to remove the old instructions for OpenPGP > verification from the website. The rational behind this is explained in > e66558a. The short version is that we're running way out of time on the > assistant and this seems like some big work that could very well be > postponed. > > Also, these instructions were already broken in Tails (see #9285 and not > many people complained about this). > > Does this sound reasonable to you for test images? > > As an improvement, shall we point people to > https://archive.torproject.org/ when downloading these? Now I see that anonym reported #10915: "Consider publishing torrents for betas and RCs" which would work great to solve the basic download verification problem. I'm all for it. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
intrigeri: > sajolida wrote (12 Jan 2016 15:47:16 GMT) : >> The rational behind this is explained in e66558a. > > I think you rewrote, or didn't push, this commit. Done now, sorry I'm working on shitloads of branch these days :) ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
Spencer: >> sajolida: >> >> As part of installation assistant ... we need to decide > how to >> advertise the download and verification of test >> ISO images > > Though I may find by looking, will you point to what this (newer > version) currently looks like, or where I can find parts and assemble? https://tails.boum.org/install (but it's not released yet and buggy). >> we were using buttons to the direct download > > It is a nice weight during quickscroll :) > >> for the time being ... remove the old instructions for >> OpenPGP verification from the website. > > For how long? I don't know :) Some months at least. >> e66558a > > Where is this? https://git-tails.immerda.ch/tails/commit/?h=web/9323-release-ia&id=e66558a7fd94715dd2d4a1d4638eca184898da38 >> shall we point people to: >> https://archive.torproject.org/ when downloading these? > > Please, no. The archive is difficult to understand. I meant through a direct link and the same download button. This is only about not using our pool of mirrors but only archive.torproject.org to benefit from HTTPS. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
sajolida wrote (12 Jan 2016 15:47:16 GMT) : > Also, these instructions were already broken in Tails (see #9285 and not > many people complained about this). I believe this is incorrect, and these instructions worked just fine in Tails prior to 2.0~rc1; we even had an automated test to verify it. Am I mistaken? ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
intrigeri: > sajolida wrote (12 Jan 2016 15:47:16 GMT) : >> Also, these instructions were already broken in Tails (see #9285 and not >> many people complained about this). > > I believe this is incorrect, and these instructions worked just fine > in Tails prior to 2.0~rc1; we even had an automated test to verify it. > Am I mistaken? To be honest I didn't test it myself so I'm probably wrong. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
Hi, first of all: thanks a lot for working on improving this key step of Tails user experience, and in particular of first-time UX! I'm sorry it took me a month to reply. I've been busy with work, and also with spending great time to avoid working too much. Also, I'm concerned that so few of us have time to spend on this questions from the technical/security PoV, which hasn't been motivating me to reply promptly. I'll be the one to do it once more, because hey, our dear UX/web/design/doc people will have to make a decision anyway, so better have at least another pair of eyes with a different skillset look at it. I'd love to see us improve the UX/dev interface in the future, though. I think that all parties have something to learn, something to gain, and some things to improve on this topic. Time to re-read the notes from our 2015 summit about it? :) sajolida wrote (12 Jan 2016 15:47:16 GMT) : > As part of our work on integrating the new installation assistant and > ISO verification extension in the rest of the website, we need to decide > how to advertise the download and verification of test ISO images as > these ones won't be available through the ISO verification extension > (the extension only allows downloading the latest official ISO image). > Until now we were using buttons to the direct download of ISO images and > their signature. See for example > https://tails.boum.org/news/test_2.0-beta1/index.en.html. [snipping bits about OpenPGP verification -- anyone who cares, this is now #11027, that is a related but quite broader topic] > Does this sound reasonable to you for test images? When reading this initially I didn't understand what was the actual proposal, and am still struggling to find it in the message I'm replying to. But it's my bad in the end: I've asked clarifications to sajolida last month about it, and failed to take note of his reply, so I'm kinda back to square one. Oops, sorry! So please take my comments with a grain of salt, it's entirely possible that I misunderstood what is the exact proposal we should discuss. In principle, I'm totally fine with _not_ integrating test images into the installation assistant (IA). I have three half-good reasons to think it's OK: * We clearly state that such images are not as trustworthy as actual releases, which (I guess) implies that most users who choose to test them entrust them with sensitive data, which implies that a poor verification process is no big deal in most cases. * Our dear IA/DAVE team has already spent much more time than planned on producing the great thing that is live on our website. * I expect mostly power-users to try our test images, so hopefully they will be able to download, verify and install them in some other way: - download: direct link to the ISO is enough - verify: see below - install: I think it's fair enough to assume that the majority of thetarget user base of these test images will know how to do this; I'll leave it as an exercice for our dear sajolida to find out how to nicely convey this message in calls for testing we issue :) >From my perspective, none of these reasons would be fully convincing in itself, but all added up the conclusion totally makes sense to me. I find it important that we preserve the ability, for skilled users who desire so, to verify such an image with a proper cryptographic trust path leading from Tails developers to the end-user. I don't mean to interfere with the IA/DAVE team's work, in terms of how exactly this is implemented, so I'll stick to phrase what I think we should do at this abstraction level. For the mere purpose of illustrating why I say "preserve" above, not meaning the need has to be satisfied exactly this way forever and ever: currently we provide this ability thanks to a detached OpenPGP signature, made with a key whose security and usage policy is well thought and advertised, and that is pretty well linked to the OpenPGP web-of-trust. > As an improvement, shall we point people to > https://archive.torproject.org/ when downloading these? If the administrators of this service are fine with it, why not: it will give better download verification for non-power-users. But then these very same people might be stuck with a nice ISO image and no documentation about how to install it (see above). There's certainly a set of Tails users who know by heart how to install an ISO without any doc, but don't know how to use the WoT, and are keen to try our test images, but all in all I'm not sure the advantage it's worth the effort. I say: your time+energy, your call. Minor implementation detail: last time I checked carefully, only one of the two mirrors behind this hostname was serving our stuff, which is why (last time I checked) only one of those was in our round-robin pool of HTTP mirrors. If it's still the case, then we cannot do what you propose. This situation may very well have changed, I dunno. sajolida w
Re: [Tails-dev] About the download and verification of test images
intrigeri: > Also, I'm concerned that so few of us have time to spend on this > questions from the technical/security PoV, which hasn't been > motivating me to reply promptly. I'll be the one to do it once more, > because hey, our dear UX/web/design/doc people will have to make > a decision anyway, so better have at least another pair of eyes with > a different skillset look at it. I'd love to see us improve the UX/dev > interface in the future, though. I think that all parties have > something to learn, something to gain, and some things to improve on > this topic. Time to re-read the notes from our 2015 summit about > it? :) +1 :) > sajolida wrote (12 Jan 2016 15:47:16 GMT) : >> As part of our work on integrating the new installation assistant and >> ISO verification extension in the rest of the website, we need to decide >> how to advertise the download and verification of test ISO images as >> these ones won't be available through the ISO verification extension >> (the extension only allows downloading the latest official ISO image). > >> Until now we were using buttons to the direct download of ISO images and >> their signature. See for example >> https://tails.boum.org/news/test_2.0-beta1/index.en.html. > > [snipping bits about OpenPGP verification -- anyone who cares, this is > now #11027, that is a related but quite broader topic] > >> Does this sound reasonable to you for test images? > > When reading this initially I didn't understand what was the actual > proposal, and am still struggling to find it in the message I'm > replying to. But it's my bad in the end: I've asked clarifications to > sajolida last month about it, and failed to take note of his reply, so > I'm kinda back to square one. Oops, sorry! > > So please take my comments with a grain of salt, it's entirely > possible that I misunderstood what is the exact proposal we > should discuss. Until now the proposal was, from the calls for testing, to we point to: 1. a direct download link on https://archive.torproject.org/ 2. a Torrent file on https://tails.boum.org/ 3. a detached OpenPGP signature on https://tails.boum.org/ 4. whatever OpenPGP verification instructions we might have (open question dealt with elsewhere but we'll have *something*) > In principle, I'm totally fine with _not_ integrating test images into > the installation assistant (IA). I have three half-good reasons to think > it's OK: > > * We clearly state that such images are not as trustworthy as actual >releases, which (I guess) implies that most users who choose to >test them entrust them with sensitive data, which implies that >a poor verification process is no big deal in most cases. > > * Our dear IA/DAVE team has already spent much more time than planned >on producing the great thing that is live on our website. > > * I expect mostly power-users to try our test images, so hopefully >they will be able to download, verify and install them in some >other way: > - download: direct link to the ISO is enough > - verify: see below > - install: I think it's fair enough to assume that the majority of > thetarget user base of these test images will know how to do > this; I'll leave it as an exercice for our dear sajolida to find > out how to nicely convey this message in calls for testing we > issue :) > > From my perspective, none of these reasons would be fully convincing > in itself, but all added up the conclusion totally makes sense to me. Cool, I'm agree we agree on this as this would have been the most problematic point if we disagreed. > I find it important that we preserve the ability, for skilled users > who desire so, to verify such an image with a proper cryptographic > trust path leading from Tails developers to the end-user. I don't mean > to interfere with the IA/DAVE team's work, in terms of how exactly > this is implemented, so I'll stick to phrase what I think we should do > at this abstraction level. For the mere purpose of illustrating why > I say "preserve" above, not meaning the need has to be satisfied > exactly this way forever and ever: currently we provide this ability > thanks to a detached OpenPGP signature, made with a key whose security > and usage policy is well thought and advertised, and that is pretty > well linked to the OpenPGP web-of-trust. I propose to keep the OpenPGP signature as we do it know. See point 4 of the proposal. >> As an improvement, shall we point people to >> https://archive.torproject.org/ when downloading these? > > If the administrators of this service are fine with it, why not: it > will give better download verification for non-power-users. But then > these very same people might be stuck with a nice ISO image and no > documentation about how to install it (see above). Ok, see #7. Shall I write to phobos, weasel, someone else? > There's certainly > a set of Tails users who know by heart how to install an ISO without > any doc,
Re: [Tails-dev] About the download and verification of test images
sajolida wrote (13 Feb 2016 12:13:49 GMT) : > Ok, see #7. Shall I write to phobos, weasel, someone else? https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure says N/A in the Maintainers column ⇒ I would ask weasel (Cc Lunar, who helps a bit on the rsync side IIRC). phobos has left the Tor project. >> Minor implementation detail: last time I checked carefully, only one >> of the two mirrors behind this hostname was serving our stuff, which >> is why (last time I checked) only one of those was in our round-robin >> pool of HTTP mirrors. If it's still the case, then we cannot do what >> you propose. This situation may very well have changed, I dunno. > I'll check before writing to archive.torproject.org then. Now #11120. The title of that ticket doesn't reflect what I wrote above, so I wonder if I conveyed what I meant clearly enough: it's not about "how many servers are behind archive.torproject.org" (that is trivially answered by a DNS query), but about whether all of them _actually serve our stuff_. >> sajolida wrote (13 Jan 2016 11:55:33 GMT) : >>> Now I see that anonym reported #10915: "Consider publishing torrents for >>> betas and RCs" which would work great to solve the basic download >>> verification problem. I'm all for it. >> >> Indeed, this would be another way to improve security for the "set of >> Tails users who know by heart how to install an ISO without any doc, >> but don't know how to use the WoT, and are keen to try our test >> images". And regardless, as we see on #10915 we have good reasons to >> do so anyway. Let's do it. sajolida, will your team take it as part of >> the question this thread is about, or shall we organize >> things differently? > If I understand correctly, this would mean adjust the release process > document to add instructions to create Torrents for release candidates > as well, right? I would have said that it's about checking what needs to be done, coordinating it and making it happen :) I've had a look to help with the 1st part. Our release process doc already makes us generate a Torrent and its detached signature, even for RC:s (check for yourself: the "Generate the OpenPGP signatures and Torrents" seems to have no condition attached). It also makes us seed this Torrent unconditionally. So what needs to be done is: * in the "Update the website and Git repository" section: don't skip the Torrent publication steps when preparing a RC; also deal with cleaning RC:s' Torrent files later; indeed anonym or I would be the best placed to do that, although bertagaz should be able to do it too * on our call for testing (non-existing yet) "template": link to the Torrent, its signature, and the corresponding documentation; I guess that you (sajolida) would be better placed to handle it. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
intrigeri: > sajolida wrote (13 Feb 2016 12:13:49 GMT) : >> Ok, see #7. Shall I write to phobos, weasel, someone else? > > https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure > says N/A in the Maintainers column ⇒ I would ask weasel (Cc Lunar, who > helps a bit on the rsync side IIRC). > > phobos has left the Tor project. Ok, so that's what I thought. I wrote them already. Then does it also make sense to explicitly not push RCs to the whole pool of mirrors? I understand that the work for us is to push them to the rsync server and that it's actually not more work for us to have them on all the mirrors. Still, it would be a small gain of disk space for these mirrors. But maybe it's not worth the trouble of adjusting our release process or the pool of mirror to handle these... >>> Minor implementation detail: last time I checked carefully, only one >>> of the two mirrors behind this hostname was serving our stuff, which >>> is why (last time I checked) only one of those was in our round-robin >>> pool of HTTP mirrors. If it's still the case, then we cannot do what >>> you propose. This situation may very well have changed, I dunno. > >> I'll check before writing to archive.torproject.org then. Now #11120. > > The title of that ticket doesn't reflect what I wrote above, so > I wonder if I conveyed what I meant clearly enough: it's not about > "how many servers are behind archive.torproject.org" (that is > trivially answered by a DNS query), but about whether all of them > _actually serve our stuff_. Sorry. I understood correctly and meant to do this but the title was clearly misleading. Fixed now and solved :) >>> sajolida wrote (13 Jan 2016 11:55:33 GMT) : Now I see that anonym reported #10915: "Consider publishing torrents for betas and RCs" which would work great to solve the basic download verification problem. I'm all for it. >>> >>> Indeed, this would be another way to improve security for the "set of >>> Tails users who know by heart how to install an ISO without any doc, >>> but don't know how to use the WoT, and are keen to try our test >>> images". And regardless, as we see on #10915 we have good reasons to >>> do so anyway. Let's do it. sajolida, will your team take it as part of >>> the question this thread is about, or shall we organize >>> things differently? > >> If I understand correctly, this would mean adjust the release process >> document to add instructions to create Torrents for release candidates >> as well, right? > > I would have said that it's about checking what needs to be done, > coordinating it and making it happen :) > > I've had a look to help with the 1st part. > > Our release process doc already makes us generate a Torrent and its > detached signature, even for RC:s (check for yourself: the "Generate > the OpenPGP signatures and Torrents" seems to have no condition > attached). It also makes us seed this Torrent unconditionally. Ack. > So what needs to be done is: > > * in the "Update the website and Git repository" section: don't skip >the Torrent publication steps when preparing a RC; also deal with >cleaning RC:s' Torrent files later; indeed anonym or I would be the >best placed to do that, although bertagaz should be able to do it too Ack → #11126. > * on our call for testing (non-existing yet) "template": link to the >Torrent, its signature, and the corresponding documentation; >I guess that you (sajolida) would be better placed to handle it. I created #9 for this and proposed a draft. We don't have templates (maybe we should) and are merely copying the previous one I think. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] About the download and verification of test images
sajolida wrote (14 Feb 2016 14:39:30 GMT) : > Then does it also make sense to explicitly not push RCs to the whole > pool of mirrors? I understand that the work for us is to push them to > the rsync server and that it's actually not more work for us to have > them on all the mirrors. Still, it would be a small gain of disk space > for these mirrors. But maybe it's not worth the trouble of adjusting our > release process or the pool of mirror to handle these... JFTR, I have no plans to spend more time in the "point to archive.torproject.org for RCs" idea. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
