subject:"\[tor\-bugs\] #22612 \[Applications\/Tor Browser\]\: Provide a list sha256's for verified binary downloads from mirrors"

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2018-02-21 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
+--
 Reporter:  BenjaminCarr|  Owner:  tbb-team
 Type:  enhancement | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  tbb-rbm, TorBrowserTeam201802R  |  Actual Points:
Parent ID:  #20892  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:15 boklm]:
 > Maybe we can add an `export LC_ALL=C` in the script so that the `sort`
 does not depend on the locale?
 >
 > Otherwise the patch looks good.

 Thanks. I've fixed that and pushed the result (commit
 011e0d3d3da5263efa29b9a5963caa083f4c3ff5) to `master`.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2018-02-21 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
+--
 Reporter:  BenjaminCarr|  Owner:  tbb-team
 Type:  enhancement | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-rbm, TorBrowserTeam201802R  |  Actual Points:
Parent ID:  #20892  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 Maybe we can add an `export LC_ALL=C` in the script so that the `sort`
 does not depend on the locale?

 Otherwise the patch looks good.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2018-02-09 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
+--
 Reporter:  BenjaminCarr|  Owner:  tbb-team
 Type:  enhancement | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-rbm, TorBrowserTeam201802R  |  Actual Points:
Parent ID:  #20892  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * keywords:  tbb-rbm, TorBrowserTeam201802 => tbb-rbm,
   TorBrowserTeam201802R
 * status:  new => needs_review


Comment:

 To make some progress on #20892 in `bug_22612`
 (https://gitweb.torproject.org/user/gk/tor-browser-
 build.git/commit/?h=bug_22612=90891f83a0692dd7041c162538b417fcf85daf0f)
 in  my `tor-browser-build` repo is a patch that is adding a script to fix
 this bug up for review.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2017-10-31 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
---+--
 Reporter:  BenjaminCarr   |  Owner:  tbb-team
 Type:  enhancement| Status:  new
 Priority:  Medium |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  tbb-rbm, TorBrowserTeam201710  |  Actual Points:
Parent ID:  #20892 | Points:
 Reviewer: |Sponsor:
---+--
Changes (by gk):

 * parent:   => #20892


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2017-08-08 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
--+--
 Reporter:  BenjaminCarr  |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-gitian, TorBrowserTeam201708  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * cc: boklm (added)


Comment:

 We did not get to implement that so far but I took the shortcut of
 generating some `sha256sums-signed-build`-files. Let me know if there are
 issues with that.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2017-06-15 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
--+--
 Reporter:  BenjaminCarr  |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-gitian, TorBrowserTeam201706  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:  sha256 => tbb-gitian, TorBrowserTeam201706


Comment:

 Putting that on our radar to have it ready for the next regular release.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

2017-06-14 Thread Tor Bug Tracker & Wiki

#22612: Provide a list sha256's for verified binary downloads from mirrors
--+--
 Reporter:  BenjaminCarr  |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:  sha256
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 While attempting to bump the version in the OSX Homebrew system in the
 middle of the night I discovered that the list of sha256s provided did not
 allign with the downloaded DMGs that were on the mirrors:
 shasum -a 256 TorBrowser-7.0.1-osx64_ar.dmg
 96127d410647bc63b592238e7a5473a63c9588a88fbc501cbce93b02e546bf2e
 TorBrowser-7.0.1-osx64_ar.dmg
 when on the list it is:
 325550bf93c24e302354d4bcf90bda04540c4e8c78c270b735b5598e1dcd988d
 TorBrowser-7.0.1-osx64_ar.dmg

 Since distributing tainted software is of concern particularly on security
 related matters, I halted the PR and flagged it. Contributors on two other
 continents checked their mirrors, and we were all getting the same
 sha256s, but these did not align with the only published list of shas. The
 only publiclly avaailable sha list is for the signed software (here is
 v7.0.1): https://dist.torproject.org/torbrowser/7.0.1/sha256sums-unsigned-
 build.txt

 While we acknowledge the utility and use of the PGP *.asc signing, the
 homebrew (I have no idea what kind of reach we have for Tor products)
 currently require a sha256 on a downloaded file even if other verification
 methods are used. Thus to implement PGP verification we would need to do
 it on top of the sha256 unless we switch TorBrowser to `:latest` which we
 do not want to do for security reasons.

 As the tested sha256s are consistent across mirrors a published list of
 sha256s for known good installers/DMGs is requested; as I was not the only
 one confused; but rather four homebrew contributors/maintainers.

 Needing to wget all of the binaries to verify the sha's presents two
 problems, one the mirror used could be tainted/compromised; given recent
 seizures like those in France this is of modest concern. But even in
 affluent countries like the US highspeed broadband is not evenly
 distributed; and needing to pull 16 ~62MB DMG's is nearly a gigabyte of
 data just to verify the sha256s. A `verified` sha256 list solves both
 these problems.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

Re: [tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

[tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

7 matches

Site Navigation

Mail list logo

Footer information