Opened 8 years ago

Closed 3 years ago

#8288 closed enhancement (fixed)

security, relability and repeatability issues in the TBB build process

Reported by: ioerror Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-rbm
Cc: mikeperry, erinn, sebastian, arma, mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Currently when building TBB on any system, we open the builder up to compromise. We also open ourselves up to reliability issues as a mirror might vanish and leave us out in the cold.

We rely on fetching software from servers that we do not control and in doing so, we use insecure transport mechanisms. Building TBB should not allow a local network attacker to get code execution on the builder's machine. I propose that we host at least one HTTPS mirror of the required source code. I've opened bug #8286 to discuss this topic and to propose patches. I believe this will make our build process more reliable as a third-party downed mirror will not prevent a build.

We also do not verify that the dependencies for TBB are verified - if someone were to simply tamper with the remote server's archive, the builder would be in trouble. I've opened a ticket to add what I think should be the current expected hashes to the build process in bug #8283. I think it would also make sense to _check_ against the expected hashes, I may or may not open a separate bug for that issue - thoughts?

To the goal of being able to build TBB on OS X from a clean slate is currently being discussed in #8246 and I think it is a reasonable goal to try to work homebrew into the process. Homebrew ensures that a similar hash check is done on software before it installs the software. Thus we'll nearly have a totally trusted chain of tools and source code to build TBB on OS X. Later, I think we should ensure this is the same for all platforms.

Child Tickets

#8246defectclosedioerrorbuild TBB on 10.8.2
#8283enhancementclosedioerrortrack hashes for all TBB dep source files
#8286enhancementclosederinnFetch software during TBB build process only over trusted HTTPS
#8289enhancementclosederinncheck hashes of files we download against expected hash value
#8338enhancementclosederinnWrite source mirror watch scripts
#8401projectclosedtbb-teamMore closely match official Mozilla Build Machines
#8525enhancementclosederinnask build dependency maintainers to get HTTPS and GPG

Change History (5)

comment:1 Changed 8 years ago by mcs

Cc: mcs brade added

comment:2 Changed 6 years ago by erinn

Keywords: needs-triage added

comment:3 Changed 3 years ago by cypherpunks

Component: Applications/Tor bundles/installationApplications/Tor Browser
Keywords: tbb-security added; needs-triage removed
Owner: changed from erinn to tbb-team
Severity: Normal
Status: newassigned

comment:4 Changed 3 years ago by cypherpunks

Keywords: tbb-rbm added

comment:5 Changed 3 years ago by boklm

Resolution: fixed
Status: assignedclosed

This has been implemented with gitian/rbm.

Note: See TracTickets for help on using tickets.