Dear SRMs, On Mittwoch, 25. Juni 2014, intrigeri wrote: > Micah Lee wrote (25 Jun 2014 18:35:45 GMT) : > > * TLS/x.509 security: torbrowser-launcher doesn't rely on the CA > > infrastructure. The only TLS it does is make HTTPS requests to > > check.torproject.org and (if you haven't set a mirror) > > www.torproject.org. When it connects to these hostnames, it uses a > > hardcoded certificate. So none of the TLS PKI issues apply at > > all here. > > I like the idea of using the Debian archive as a side-channel, > presumably already somewhat trusted, to distribute the included > certificate. > > @Debian maintainers: it might be nice to make the stable release team > aware that this package will most likely need to be updated in stable > point-releases, when the certificate changes. I'm not sure how likely this is, but as intrigeri suggested it's probably a good idea to notify you now that this might happen. I assume this is not a reason to not include torbrowser-launcher in a stable release, but it's up to you to decide. :-) cheers, Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.