[liberationtech] secure download tool - doesn't exist?!?
Jacob Appelbaum
jacob at appelbaum.net
Mon Jul 1 15:36:30 PDT 2013
Eleanor Saitta:
> On 2013.07.01 15.15, Julian Oliver wrote:
>> ..on Mon, Jul 01, 2013 at 06:03:01PM +0000, adrelanos wrote:
>>> In response to "the tool doesn't exist"...
>
>> apt-get install tor && torify wget http://path.to/file
>
> And how did you verify the trust path for your initial debian install
It is easy enough for me, nearly impossible for regular users.
I verify the signature. I very the trust path by having been to DebConf
and attending key signing parties. Having a trust path to the people who
sign the releases is important, of course.
Long ago, I was trying to install an extra package from OpenBSD - for
some strange reason, I needed a package that was not on the CD or the CD
was no longer in the machine. In any case, I found the package on the
OpenBSD mirrors but weirdly, it was the only package not in the
published hash to filename list. Eventually I found myself on irc asking
for a hash of the file, only to be mocked in the typical arrogant
OpenBSD style. I sent patches to ensure others would not need to ask the
questions I was asking, I suggested ensuring all files were hashed and
if possible, that there was at least a signature or a key on the release
CDs, etc. I really made an effort to document and suggest positive fixes
for each issue that concerned me. Eventually, someone questioned my
entire motivation - "Where did you get the CD?" - "how do you know it
wasn't tampered with in the mail?" - "How do you know the person from
OpenBSD was really from OpenBSD and not just someone selling cds at a
conference" and similar questions.
The basic idea was this arrogant "don't complain about a few missing
details, you have your own problems too" dismissal that really was
perhaps the most funny part of the entire ordeal. So i let them know
that I was living in Calgary when I received the CD and that I received
my first copy of OpenBSD on CD from Theo himself. He gave it to me while
I was touching cvs.openbsd.org in his basement. For a while I was living
in Calgary which just happened to be down the street from him in Canada.
It was at that point that someone chimed in to say something to the
effect of "Yeah, well, not everyone can do that..."
We need a secure downloading tool, we need it to be built into every OS
by default and until then, we'll have to rely on tricks to hack it -
preloading certs in browsers, having a website to download it from and
so on.
All the best,
Jacob
More information about the liberationtech
mailing list