[Pkg-anonymity-tools] Bug#752275: FYI: torbrowser-launcher might require updates during point releases
Holger Levsen
holger at layer-acht.org
Tue Aug 19 18:41:30 UTC 2014
Dear SRMs,
On Mittwoch, 25. Juni 2014, intrigeri wrote:
> Micah Lee wrote (25 Jun 2014 18:35:45 GMT) :
> > * TLS/x.509 security: torbrowser-launcher doesn't rely on the CA
> > infrastructure. The only TLS it does is make HTTPS requests to
> > check.torproject.org and (if you haven't set a mirror)
> > www.torproject.org. When it connects to these hostnames, it uses a
> > hardcoded certificate. So none of the TLS PKI issues apply at
> > all here.
>
> I like the idea of using the Debian archive as a side-channel,
> presumably already somewhat trusted, to distribute the included
> certificate.
>
> @Debian maintainers: it might be nice to make the stable release team
> aware that this package will most likely need to be updated in stable
> point-releases, when the certificate changes.
I'm not sure how likely this is, but as intrigeri suggested it's probably a
good idea to notify you now that this might happen. I assume this is not a
reason to not include torbrowser-launcher in a stable release, but it's up to
you to decide. :-)
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/attachments/20140819/3955ac74/attachment.sig>
More information about the Pkg-anonymity-tools
mailing list