[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

[Blibbet]

There was a good thread on this topic on the OSS-Security list, and 
another, probably this list about 6 months ago.

It'd be worth studying Tor's Thandy, a secure update tool. I wish I 
could recall why Tor abandoned Thandy, that might be important. :-( 
There might be clues in Trac.
https://gitweb.torproject.org/thandy.git/blob/HEAD:/specs/thandy-spec.txt
https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy

BTW, when auditing auto-updates, don't both Windows and Apple use CDNs 
like Akamai, to push out their new updates? I seem to recall some 
Snowden-related articles mentioning CDNs including Akamai; a great place 
for an adversary to update system binaries.