Search Mailing List Archives
[liberationtech] secure download tool - doesn't exist?!?
c1.devrandom at niftybox.net
Mon Jul 1 16:12:21 PDT 2013
The Gitian tools have this:
which could be adapted to work with other network protocols (e.g. Torrent).
On 07/01/2013 11:03 AM, adrelanos wrote:
> In response to "the tool doesn't exist"...
> You can create a really great privacy preserving application, Open
> Source, but when you want to share it with the world, it's difficult to
> ensure, that users actually get legit versions.
> - big file downloads
> - at least as secure as TLS
> - at least as simple as a regular download using a browser
> - not using TLS itself (too expensive) for bulk download
> The problem:
> 1. Unauthenticated downloads can get infected with malware on the fly
> and we're living in a world were governments are interested in doing so
> or already doing it.
> 2. There are no free Open Source hosts providing TLS or any other kind
> of authentication usable by layman. (github doesn't provide downloads
> anymore, sourceforge "only" offers unlimited free http downloads, no TLS.)
> 3. TLS downloads are expensive. I am creating Free Software myself
> already (Whonix), but I am not willing to pay hundred of dollars every
> month for TLS downloads and many other producers of Free Software aren't
> willing to do that as well. That's just the reality.
> 4. Gpg verification - almost no one uses it. Technically, it works okay,
> you can share your OpenPGP public key over TLS (web traffic isn't the
> most expensive thing, downloads are) or even web of trust (non-anonymous
> people) and it can verify builds. Since only one in twenty persons (or
> worse) uses it for verification, for whatever reasons, its not the solution.
> 5. Windows doesn't even have a package manager like Debian has apt-get.
> (Sorry, I am ignorant about Windows 8 and its app store thingy and not
> sure if FOSS developers can easily add their software.)
> 6. Linux distributions, such as Debian have awesome updating systems
> (Debian has apt-get, which even defeats The Update Framework threat
> model , other distributions may have similar great updaters.
> Problem: its far from easy to get software into the repository, you need
> to create packages following their policy, need to be a Debian developer
> or need a sponsor, thats absoutely non-trivial, many projects just
> failed or have given up (example: Retroshare).
> Usually their repository is filled up with high quality packages. Just
> many projects/newer projects not capable/compatible/etc. with that end
> up using less secure methods to share their software. There is nothing
> in the middle such as a PPA service. (Ubuntu has a PPA service, but
> Ubuntu should be avoided for other privacy issues .)
> 7. Metalink could solve it, if there where metalink downloaders
> supporting OpenPGP, but there aren't any.
> 8. Mainstream browsers don't come with Metalink/OpenPGP support out of
> the box, so you'd still have to tell users "you have to download tool X
> to download our tool Y".
> In conclusion:
> I don't think we need a gpg4win downloader, a TBB downloader, Tails
> downloader, a Whonix downloader... Thats just a lot duplicate effort and
> another bootstrap issue: how to share the download tool itself? Make it
> small and share it over TLS?
> I think, this kind of tool doesn't exist yet.
>  https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech