download from torproject.org hidden service

[adrelanos]

Now, that updating over Tor is in...

torbrowser-launcher could download form http://idnxcnkne4qt76tg.onion instead from https://www.torproject.org/.

Advantages of .onion:

• free end-to-end encryption (strictly speaking: Tor to Tor)
• no SSL-CA's involved
• no Tor exit nodes involved

Disadvantages of .onion:

• slower

[micahflee]

I could add a "Download over hidden service" checkbox to the settings dialog (#29). However, I want to keep the interface as simple as possible. This should be fine though.

Does check.torproject.org have a hidden service? We use that to check for updates. If not, we could always check for updates not using a hidden service, but download the tarballs over the hidden service.

[adrelanos]

I could add a "Download over hidden service" checkbox to the settings dialog (#29).

Please have it checked by default.

Does check.torproject.org have a hidden service?

No:
#6096: "Add a hidden service to check.torproject.org" (imho, very unlikely)

If not, we could always check for updates not using a hidden service, but download the tarballs over the hidden service.

Yes. (I hope that won't be necessary, however.)

Now that you in principle like my idea, we can ask The Tor Project if they are willing to put a mirror of https://check.torproject.org/RecommendedTBBVersions on https://www.torproject.org/dist/torbrowser/ (which equals http://idnxcnkne4qt76tg.onion/dist/torbrowser/) (or somewhere else).

[adrelanos]

Depending on their server structure, even a symlink could do. Perhaps these are different servers. In any way, they probable have a maintainer script to update https://check.torproject.org/RecommendedTBBVersions and https://www.torproject.org/dist/torbrowser/. So if there is a will, I think there is a way.

That file seems to live here:
https://gitweb.torproject.org/erinn/torbrowser.git/blob/HEAD:/build-scripts/recommended-versions

(There are multiple forks of torbrowser.git.)

Same file as raw, easier to parse:
https://gitweb.torproject.org/erinn/torbrowser.git/blob_plain/HEAD:/build-scripts/recommended-versions

Is there a hidden service for https://gitweb.torproject.org?

[adrelanos]

Is there a hidden service for https://gitweb.torproject.org?

There was one:
https://trac.torproject.org/projects/tor/ticket/6103
https://trac.torproject.org/projects/tor/ticket/3425

Reported a bug:
https://trac.torproject.org/projects/tor/ticket/8736

[adrelanos]

After grepping and looking into https://gitweb.torproject.org/erinn/torbrowser.git/tree, the nearest thing to copying TBB to the website is https://gitweb.torproject.org/erinn/torbrowser.git/blob/HEAD:/build-scripts/DEPLOYMENT. That file is quite outdated (svn links do not work anymore). I haven't found a maintenance script for doing uploading TBB to the website, maybe it's not published and I don't think they look into the DEPLOYMENT, perhaps they have unpublished notes or do it from memory. So I don't think we can propose a patch just adding one line of "cp". Since several people are involved uploading TBB...

Could you ask please on the mailing list if they could copy the https://check.torproject.org/RecommendedTBBVersions to https://www.torproject.org/dist/torbrowser/ (or somewhere otherwise appropriate (with hidden service access))?

[micahflee]

Keeping https://check.torproject.org/RecommendedTBBVersions on https://www.torproject.org/ somewhere is also important because I just added support for mirrors (#32). You can now download the tarball and sig from any of the up-to-date torproject.org mirrors.

If torproject.org is being censored a user can try a different mirror and possible be able to download TBB that way. Only if check.torproject.org is also being censored, TBL doesn't have any way other way of checking for what version to download, so the mirrors no longer help

I'll ask tor-dev about it.

[micahflee]

I posted a tor bug about this: https://trac.torproject.org/projects/tor/ticket/8940