Carml lacks PGP singatures and instructions for secure installation
Meejah's carml isn't listed as officially supported by Tor Project, but meejah is somehow listed among Tor people and carml itself is officially [[https://blog.torproject.org/exploring-tor-carml|advertised]] in Tor blog. So, I suppose this ticket can be accepted here.
== Problem 1: no signatures
== Problem 2: no python3 docs
== Problem 3: no secure installation of carml dependencies
pip install <projectname> with automatic download of all dependencies from repository, as recommended in documentation, should never be used in secure environments, because packages in this repository are not signed (even if they are signed, their signatures are not checked by default). Actually, some dependencies (probably, old versions) can be installed as standard Debian packages, but
pip will not be able to see them by default (especially in
pyvenv environment). There is only one way to install it securely:
- Download carml bunndle and its signature.
- Download bundles for all carml dependencies and their signatures.
- Verify signatures of all downloaded bundles manually (don't ask me what to do if somebody release his code without signatures).
- Disconnect from network.
- Install carml and its dependencies as
pip install /path/to/local-bundle
- Create some symlinks, so carml can find all dependencies it needs. This is what I expect to see in documentation. For instance, for Nyx it was done [so] (but it has only one dependence, Stem):
- Download Nyx, its signature, and verify it.
- Download Stem, its signature, and verify it.
- Install Stem, install Nyx, create necessary symlink. As a workaround I'ld suggest to put all necessary dependencies in signed carml bundle, so users will not suffer during assembling of this constructor.