[liberationtech] secure download tool - doesn't exist?!?
Jonathan Wilkes
jancsika at yahoo.com
Tue Jul 2 09:46:05 PDT 2013
On 07/02/2013 04:51 AM, intrigeri wrote:
> Hi,
>
> adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
>> Goal:
>> - big file downloads
>> - at least as secure as TLS
>> - at least as simple as a regular download using a browser
>> - not using TLS itself (too expensive) for bulk download
>> The problem: [...]
> + verify that the signed file you've downloaded is actually the
> version you intended to download, and not an older, also properly
> signed one.
>
> See tools that take this into account:
> - Thandy (already mentioned by Moritz)
> - our design for incremental updates:
> https://tails.boum.org/todo/incremental_upgrades/
> - TUF:
> https://www.updateframework.com/
Does Debian's "Valid-Until" field in the release files solve this problem?
-Jonathan
>
> Other than this, our current take on it is, I believe, making it
> easier to verify OpenPGP detached signatures. E.g. we're working to
> make it work flawlessly on the GNOME desktop.
>
> Cheers,
> --
> intrigeri
> | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
> | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
More information about the liberationtech
mailing list