Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

Dev Random c1.devrandom at niftybox.net
Mon Jul 1 16:12:21 PDT 2013


The Gitian tools have this:

https://github.com/devrandom/gitian-builder/blob/master/share/gitian_updater.py

which could be adapted to work with other network protocols (e.g. Torrent).

On 07/01/2013 11:03 AM, adrelanos wrote:
> In response to "the tool doesn't exist"...
> 
> You can create a really great privacy preserving application, Open
> Source, but when you want to share it with the world, it's difficult to
> ensure, that users actually get legit versions.
> 
> Goal:
> 
> - big file downloads
> - at least as secure as TLS
> - at least as simple as a regular download using a browser
> - not using TLS itself (too expensive) for bulk download
> 
> The problem:
> 
> 1. Unauthenticated downloads can get infected with malware on the fly
> and we're living in a world were governments are interested in doing so
> or already doing it.
> 
> 2. There are no free Open Source hosts providing TLS or any other kind
> of authentication usable by layman. (github doesn't provide downloads
> anymore, sourceforge "only" offers unlimited free http downloads, no TLS.)
> 
> 3. TLS downloads are expensive. I am creating Free Software myself
> already (Whonix), but I am not willing to pay hundred of dollars every
> month for TLS downloads and many other producers of Free Software aren't
> willing to do that as well. That's just the reality.
> 
> 4. Gpg verification - almost no one uses it. Technically, it works okay,
> you can share your OpenPGP public key over TLS (web traffic isn't the
> most expensive thing, downloads are) or even web of trust (non-anonymous
> people) and it can verify builds. Since only one in twenty persons (or
> worse) uses it for verification, for whatever reasons, its not the solution.
> 
> 5. Windows doesn't even have a package manager like Debian has apt-get.
> (Sorry, I am ignorant about Windows 8 and its app store thingy and not
> sure if FOSS developers can easily add their software.)
> 
> 6. Linux distributions, such as Debian have awesome updating systems
> (Debian has apt-get, which even defeats The Update Framework threat
> model [1], other distributions may have similar great updaters.
> 
> Problem: its far from easy to get software into the repository, you need
> to create packages following their policy, need to be a Debian developer
> or need a sponsor, thats absoutely non-trivial, many projects just
> failed or have given up (example: Retroshare).
> 
> Usually their repository is filled up with high quality packages. Just
> many projects/newer projects not capable/compatible/etc. with that end
> up using less secure methods to share their software. There is nothing
> in the middle such as a PPA service. (Ubuntu has a PPA service, but
> Ubuntu should be avoided for other privacy issues [2].)
> 
> 7. Metalink could solve it, if there where metalink downloaders
> supporting OpenPGP, but there aren't any.
> 
> 8. Mainstream browsers don't come with Metalink/OpenPGP support out of
> the box, so you'd still have to tell users "you have to download tool X
> to download our tool Y".
> 
> In conclusion:
> 
> I don't think we need a gpg4win downloader, a TBB downloader, Tails
> downloader, a Whonix downloader... Thats just a lot duplicate effort and
> another bootstrap issue: how to share the download tool itself? Make it
> small and share it over TLS?
> 
> I think, this kind of tool doesn't exist yet.
> 
> References:
> 
> [1] https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses
> [2]
> https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 




More information about the liberationtech mailing list