Opened 8 years ago

Closed 6 years ago

#7603 closed defect (fixed)

TBB makefile downloads deps unauthenticated

Reported by: cypherpunks Owned by: erinn
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: needs-triage
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Just noticed that the TBB build system does not authenticate the dependencies it downloads. Some of the URLs (in versions*.mk) are plain HTTP and FTP, but even for HTTPS, wget is called with --no-check-certificate. And I don't see any verification of checksums or signatures going on here.

Is the TBB build somehow decentralized and redundant, like the Bitcoin people do it, so that this doesn't matter?

Child Tickets

Change History (2)

comment:1 Changed 6 years ago by erinn

Keywords: needs-triage added

comment:2 Changed 6 years ago by erinn

Resolution: fixed
Status: newclosed

Closing this since it's fixed in the gitian builds we do.

Note: See TracTickets for help on using tickets.