Opened 7 years ago

Closed 7 years ago

#8286 closed enhancement (fixed)

Fetch software during TBB build process only over trusted HTTPS

Reported by: ioerror Owned by: erinn
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: erinn, mikeperry, sebastian, arma Actual Points: 1
Parent ID: #8288 Points:
Reviewer: Sponsor:

Description

Currently, we fetch software using wget and we do so with all certificate checking disabled. I believe we should have a mirror of all the source code that we expect people to download and we should offer it over HTTPS.

I've put up such a mirror here as a proof of concept: https://people.torproject.org/~ioerror/src/mirrors/

I'll attach some patches to help ensure that we allow wget to verify the HTTPS cert and to ensure that we use the secure mirror.

Later, we can find a location for a mirror that is more permanent as this improves the security of the build process tremendously. It also improves the reliability as some of the download sites are extremely slow or use protocols that are prone to censorship. :(

Thoughts?

Child Tickets

Attachments (3)

third-party-urls.patch (4.0 KB) - added by ioerror 7 years ago.
Add HTTPS mirror and use it for almost all files.
wget.patch (3.0 KB) - added by ioerror 7 years ago.
versions.mk wget lines
versions-alpha.mk.patch (7.0 KB) - added by ioerror 7 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 7 years ago by ioerror

Parent ID: #8288

comment:2 Changed 7 years ago by arma

In theory, if we do #8283, this ticket isn't so needed from the security side? But it is still useful from the resilience side?

Changed 7 years ago by ioerror

Attachment: third-party-urls.patch added

Add HTTPS mirror and use it for almost all files.

comment:3 Changed 7 years ago by arma

(We're ignoring the question of how the heck we get an authentic version of the unauthenticated unsigned thing in the first place, of course.)

Changed 7 years ago by ioerror

Attachment: wget.patch added

versions.mk wget lines

comment:4 in reply to:  2 Changed 7 years ago by ioerror

Replying to arma:

In theory, if we do #8283, this ticket isn't so needed from the security side? But it is still useful from the resilience side?

This is likely to be completed first as it is literally just a swap out of urls - no program flow really needs to change. Even if it was still using the wget without cert checking, we'd _still_ be better off, I think. Certainly because our HTTPS mirror will be up but also because it will be faster and we can then add the wget change. See the attached patches.

Changed 7 years ago by ioerror

Attachment: versions-alpha.mk.patch added

comment:5 Changed 7 years ago by ioerror

Status: newneeds_review

I've also added a single diff for the alpha build versions-alpha.mk Makefile that both adds the mirror and makes wget check certs.

comment:6 Changed 7 years ago by mikeperry

This looks great and is almost ready to merge, except: Do we also want a cron script that runs on people that tells us if any of the mirrored source either changed or got new versions upstream?

I want to avoid the situation where we switch to people.tp.org as our mirror, but then forget to ever update these packages. I think for most/all of them they simply remove the old version's tar when they release a new one, so the cron script could just email us when the version we have disappeared from upstream?

comment:7 in reply to:  6 Changed 7 years ago by ioerror

Replying to mikeperry:

This looks great and is almost ready to merge, except: Do we also want a cron script that runs on people that tells us if any of the mirrored source either changed or got new versions upstream?

I don't think so. I'd like this to happen manually.

I want to avoid the situation where we switch to people.tp.org as our mirror, but then forget to ever update these packages. I think for most/all of them they simply remove the old version's tar when they release a new one, so the cron script could just email us when the version we have disappeared from upstream?

We should never forget to update because this is how we build things. To update, first we'd need to know there was a new released upstream version and secondly, we'd want to add the updated version to the mirror.

I envision this as a manual process just as we currently do it - except we actually get HTTPS!

comment:8 in reply to:  3 Changed 7 years ago by proper

Replying to arma:

(We're ignoring the question of how the heck we get an authentic version of the unauthenticated unsigned thing in the first place, of course.)

--> #8525 "ask build dependency maintainers to get HTTPS and GPG"

comment:9 Changed 7 years ago by mikeperry

I will be merging this as soon as I let my scripts from #8338 run for a bit (hopefully soon after the next TBB based on the FF17.0.5-esr release).

comment:10 Changed 7 years ago by mikeperry

Cleaned up versions of these patches have been pushed to mikeperry/2.4-next (along with other goodies).

comment:11 Changed 7 years ago by mikeperry

Actual Points: 1
Resolution: fixed
Status: needs_reviewclosed

This is now merged.

Note: See TracTickets for help on using tickets.