Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

Eleanor Saitta ella at
Mon Jul 1 19:21:23 PDT 2013

Hash: SHA256

On 2013.07.01 17.28, adrelanos wrote:
> Eleanor Saitta:
>> On 2013.07.01 15.15, Julian Oliver wrote:
>>> ..on Mon, Jul 01, 2013 at 06:03:01PM +0000, adrelanos wrote:
>>>> In response to "the tool doesn't exist"...
>>> apt-get install tor && torify wget
>> And how did you verify the trust path for your initial debian
>> install?
> Thats a different issue to be discussed and solved separately.

No, it really isn't.  Either you have a trustable chain or you don't.

Now, admitting that you have no trustable chain is fine; it means
you're looking at outcomes and scope of compromise required to affect
a single user, etc., because that's all that you've got left.  In
fact, it's useful to start thinking this way, because then, while
chain of custody in the download process is still important, you start
thinking about detection of interference rather than assuming that
your house-of-cards updater will always work.  Which it won't, no
matter how good it is, if for no other reason than that it will have
bugs which someone will eventually exploit.


- -- 
Ideas are my favorite toys.
Version: GnuPG v2.0.17 (MingW32)


More information about the liberationtech mailing list