When you're promising real anonymity and encouraging whistleblowers, activists, and journalists to use it, the risks with exposing people in the field are too great.
It's the Tor Project's position that the most important thing is immediate patching through direct mechanisms in Tor Browser. I actually conceive of the problem differently: no time to wait for PureOS, we must hand over the keys to the castle to upstream) bugs in Tor Browser, or do you find it equally important that we (as they become available) enable mechanisms for the Linux developers and GNOME developers and any other upstreams to address 0-days in their code?
Is it in your opinion more important to fix immediately (i.e. Seems like the same amount of work with less payoff.īad idea to have TBB in a stable repo, for the reasons you state. TBB also has an in-browser update mechanism / verification / warning system, so it would likely clash with a package manager at this point without modifications that I don't think anyone wants to be in charge of.īut I don't see why we would want to take the package from Debian contrib, when we can pull what we want from upstream TP repo. In my opinion, it's a very wise one given that Tor is targeted by powerful and sophisticated actors. Right, that is usually the stated reason. This isn't done anymore, likely for the reason you suggest. Here that means if PureOS supergreen need to include Tor Browser, then PureOS must somehow get a security team that can track it - because Debian security team does *not* track treating testing packages as stable. On a related note (should be a filed as a separate issue if/when we want to discuss that further): In my opinion, PureOS should only expose its users to code that is security-tracked. If PureOS later creates a stable (supergreen?) branch, then in my opinion fast moving packages like Tor Browser should be omitted from that branch. PureOS (in its current form as arolling release based on Debian testing) can make use of such package that is properly free but just changing too frequent to be suitable for Debian stable.
My guess(!) to the reason that others chose to instead package a sidechannel _installer_ distributed in Debian contrib, is that Tor Browser is in nature fast-changing so not possible to reach stable Debian. In my opinion, this issue should be solved by packaging Tor Browser for Debian main.
0 kommentar(er)
