Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed
Opened by Jacob Appelbaum@ioerror

Fetch software during TBB build process only over trusted HTTPS

Currently, we fetch software using wget and we do so with all certificate checking disabled. I believe we should have a mirror of all the source code that we expect people to download and we should offer it over HTTPS.

I've put up such a mirror here as a proof of concept: https://people.torproject.org/~ioerror/src/mirrors/

I'll attach some patches to help ensure that we allow wget to verify the HTTPS cert and to ensure that we use the secure mirror.

Later, we can find a location for a mirror that is more permanent as this improves the security of the build process tremendously. It also improves the reliability as some of the download sites are extremely slow or use protocols that are prone to censorship. :(

Thoughts?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information