Software evolves, and we think it might be the time of GetTor to go beyond its current design. Moreover, we have received valid concerns that emails could be tampered and users could get
Software evolves, and we think it might be the time of GetTor to go beyond its current design. Moreover, we have received valid concerns that emails could be tampered and users could get
malicious versions of Tor Browser (although we have no evidence that this is happening). Right now, when you get the Tor Browser via this method is ''up to you to verify its integrity''.
malicious versions of Tor Browser (although we have no evidence that this is happening). Right now, when you get the Tor Browser via this method is _up to you to verify its integrity_.
With this in mind, we have been discussing about the idea of having a signed and verified distributor app (desktop), available on official channels (OSX app store, Google Chrome store, etc), which could ease the process of downloading and verifying the integrity of Tor Browser. In other words, a user should be able to download and make sure it has the right file with just a few clicks.
With this in mind, we have been discussing about the idea of having a signed and verified distributor app (desktop), available on official channels (OSX app store, Google Chrome store, etc), which could ease the process of downloading and verifying the integrity of Tor Browser. In other words, a user should be able to download and make sure it has the right file with just a few clicks.
There has been some discussion related to this in tor-dev [https://lists.torproject.org/pipermail/tor-dev/2015-June/008949.html mailing list] and IRC channel. Below is a list of ideas that have come up ('''please add your own idea if you have one :)'''):
There has been some discussion related to this in tor-dev [mailing list](https://lists.torproject.org/pipermail/tor-dev/2015-June/008949.html) and IRC channel. Below is a list of ideas that have come up (**please add your own idea if you have one :)**):
1. Have a backend API. The "distributor" should get the download links from there.
1. Have a backend API. The "distributor" should get the download links from there.
* Advantages
* Advantages
...
@@ -15,7 +15,7 @@ There has been some discussion related to this in tor-dev [https://lists.torproj
...
@@ -15,7 +15,7 @@ There has been some discussion related to this in tor-dev [https://lists.torproj
- If the API is under a torproject.org domain, is quite possible that the access to it is blocked too. Having various mirrors could be a solution.
- If the API is under a torproject.org domain, is quite possible that the access to it is blocked too. Having various mirrors could be a solution.
- More complicated (supposedly).
- More complicated (supposedly).
Note from naif: That's always integrated in [https://github.com/globaleaks/Tor2web/wiki/GetTor Tor2web GeTor support]
Note from naif: That's always integrated in [Tor2web GeTor support](https://github.com/globaleaks/Tor2web/wiki/GetTor)
2. The "distributor" should figure out where to download Tor Browser from, possibly with hard-coded values.
2. The "distributor" should figure out where to download Tor Browser from, possibly with hard-coded values.
