[prev in list] [next in list] [prev in thread] [next in thread]
List: tor-talk
Subject: Re: [tor-talk] torproject package repository
From: James <james () insiberia ! net>
Date: 2017-08-10 22:38:00
Message-ID: 8d5f1240-486c-c634-7f11-9baa741762d9 () insiberia ! net
[Download RAW message or body]
With that logic, Debian still is too.
dguthrie@posteo.net:
> With the exception that their servers are likely to still be rooted.
>
> James:
> > Duncan:
> >
> > >
> > > For future reference, Mint is based on Ubuntu. Find out the
> > > corresponding version that Mint is basing on, and use the Tor Project's
> > > Deb repository for that (this is almost certainly how it has been
> > > configured). I don't know what Mint's policy is but I'd be very
> > > surprised if this was default. Maybe you added it and forgot about it at
> > > an earlier date. I suppose it's possible they have it listed under
> > > additional repositories for the sake of convenience for Mint's users.
> > >
> > > A word of warning I'd urge you to take heed of: Mint have had some
> > > severe security issues in the past, both in updating packages (by
> > > default they hold essential security updates such as to the kernel back
> > > for "stability") and issues on their server. In a nutshell, they have
> > > been running a large software project like amateurs and their servers
> > > were accordingly rooted.
> > > They had their servers compromised twice within the last two years, by
> > > means of outdated and ill-configured Wordpress plugins. Their forum
> > > contents, including user details and passwords, were compromised and put
> > > up for sale for a paltry sum on some dodgy website (if I remember the
> > > reporting at the time, this happened more than once); and downloads were
> > > replaced with malicious ISO images that included spyware.
> > > There is no evidence they changed their security practices, so it's
> > > reasonable to suggest that their servers are still compromised, or that
> > > it is so trivial to do so that it will happen again. I would recommend
> > > installing Debian or Ubuntu directly, as both these distributions have
> > > good security practices.
> > >
> > > > But the only package that shows up in Mint's software manager is
> > > > "torbrowser-launcher", maintained by Ubuntu Developers
> > > > <ubuntu-devel-discuss@lists.ubuntu.com>.
> > > > I was curious if anyone used this torbrowser-launcher, or if
> > > > Torproject devs would highly frown on it?
> > > >
> > > > Its description: "helps download & install torbrowser." Doesn't
> > > > mention anything about it verifying TBB signature, which I always do.
> > > >
> >
> > > Best,
> > > Duncan
> > http://www.infoworld.com/article/3182824/linux/is-linux-mint-a-secure-distribution.html
> >
> >
> > https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/
> >
> >
> > https://superuser.com/questions/882957/how-to-make-sure-that-repositories-added-to-linux-mint-are-safe-and-secure
> >
> >
> > https://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php
> >
> > Duncan, I think you're trashing a distro based on what happened in 17.3
> > from overseas. the smart thing is to checksum the download. There are a
> > few articles above that talk about this. and there are two sets that
> > verify the downloads now. So, in fairness, I believe Mint isn't any
> > different than Ubuntu or Debian. Don't forget Debian was vulned a while
> > back too. All of these come from the same place and some of these repos
> > are interchangeable. I think your subjective ideas are simply out of
> > date and wrong now. (P.S., there are more links to prove what I am
> > saying here)
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic