3 Oct
2013
3 Oct
'13
7:55 p.m.
On Thu, Oct 3, 2013 at 12:24 PM, CodesInChaos <codesinchaos@gmail.com> wrote:
... I don't think disabling auto-update is a good idea. What we need is secure auto update.
agreed.
This involves: 1) requiring multiple signatures on the update by people in different jurisdictions 2) Reproducible builds 3) A Certificate Transparency like log of all updates.
I believe TOR is doing some work on points 1) and 2).
there are additional concerns regarding the implementation of updates and key management for the updates as well. see: http://www.cs.arizona.edu/stork/ http://www.cs.arizona.edu/stork/packagemanagersecurity/papers.html https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy