Search Mailing List Archives
[liberationtech] secure download tool - doesn't exist?!?
ella at dymaxion.org
Mon Jul 1 19:21:23 PDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 2013.07.01 17.28, adrelanos wrote:
> Eleanor Saitta:
>> On 2013.07.01 15.15, Julian Oliver wrote:
>>> ..on Mon, Jul 01, 2013 at 06:03:01PM +0000, adrelanos wrote:
>>>> In response to "the tool doesn't exist"...
>>> apt-get install tor && torify wget http://path.to/file
>> And how did you verify the trust path for your initial debian
> Thats a different issue to be discussed and solved separately.
No, it really isn't. Either you have a trustable chain or you don't.
Now, admitting that you have no trustable chain is fine; it means
you're looking at outcomes and scope of compromise required to affect
a single user, etc., because that's all that you've got left. In
fact, it's useful to start thinking this way, because then, while
chain of custody in the download process is still important, you start
thinking about detection of interference rather than assuming that
your house-of-cards updater will always work. Which it won't, no
matter how good it is, if for no other reason than that it will have
bugs which someone will eventually exploit.
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
-----END PGP SIGNATURE-----
More information about the liberationtech