security, relability and repeatability issues in the TBB build process

Currently when building TBB on any system, we open the builder up to compromise. We also open ourselves up to reliability issues as a mirror might vanish and leave us out in the cold.

We rely on fetching software from servers that we do not control and in doing so, we use insecure transport mechanisms. Building TBB should not allow a local network attacker to get code execution on the builder's machine. I propose that we host at least one HTTPS mirror of the required source code. I've opened bug legacy/trac#8286 (closed) to discuss this topic and to propose patches. I believe this will make our build process more reliable as a third-party downed mirror will not prevent a build.

We also do not verify that the dependencies for TBB are verified - if someone were to simply tamper with the remote server's archive, the builder would be in trouble. I've opened a ticket to add what I think should be the current expected hashes to the build process in bug legacy/trac#8283 (closed). I think it would also make sense to check against the expected hashes, I may or may not open a separate bug for that issue - thoughts?

To the goal of being able to build TBB on OS X from a clean slate is currently being discussed in legacy/trac#8246 (closed) and I think it is a reasonable goal to try to work homebrew into the process. Homebrew ensures that a similar hash check is done on software before it installs the software. Thus we'll nearly have a totally trusted chain of tools and source code to build TBB on OS X. Later, I think we should ensure this is the same for all platforms.

added component::applications/tor browser in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac resolution::fixed in Legacy / Trac severity::normal in Legacy / Trac status::closed in Legacy / Trac tbb-rbm in Legacy / Trac tbb-security in Legacy / Trac type::enhancement in Legacy / Trac labels

Trac:
Cc: mikeperry, erinn, sebastian, arma to mikeperry, erinn, sebastian, arma, mcs, brade

Trac:
Keywords: N/A deleted, needs-triage added

Trac:
Component: Applications/Tor bundles/installation to Applications/Tor Browser
Reviewer: N/A to N/A
Sponsor: N/A to N/A
Severity: N/A to Normal
Keywords: needs-triage deleted, tbb-security added
Owner: erinn to tbb-team
Status: new to assigned

Trac:
Keywords: N/A deleted, tbb-rbm added

This has been implemented with gitian/rbm.

Trac:
Status: assigned to closed
Resolution: N/A to fixed

closed

mentioned in issue legacy/trac#8401 (moved)

moved from legacy/trac#8288 (moved)

added Feature label and removed 1 deleted label

added 1 deleted label and removed 1 deleted label

added Security label and removed 1 deleted label