intrigeri:
> Hi,
>
> adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
>> Goal:
>
>> - big file downloads
>> - at least as secure as TLS
>> - at least as simple as a regular download using a browser
>> - not using TLS itself (too expensive) for bulk download
>
>> The problem: [...]
>
> + verify that the signed file you've downloaded is actually the
> version you intended to download, and not an older, also properly
> signed one.
I didn't want to make such high requirements. At the moment, problems
are worse, most downloads (http) aren't even as safe as TLS.
Any tool as safe as TLS and also defeating your + is of course welcome
as well.
> See tools that take this into account:
> - Thandy (already mentioned by Moritz)
As far I know, Thandy is unfinished, no longer developed, Tor package
centric, derived from TUF, downloader. Therefore not useful for the
general use case?
> - TUF:
> https://www.updateframework.com/
TUF is awesome. They're creating a library, others can use in their
applications. But then we're back to the original problem of this
thread: how to get this application in the first place and at least as
safe as TLS?
> - our design for incremental updates:
> https://tails.boum.org/todo/incremental_upgrades/
This is awesome as well, but I believe it solves a different problem.
This one was: how to initially download? Then you're back to OpenPGP,
which very few people use.
> Other than this, our current take on it is, I believe, making it
> easier to verify OpenPGP detached signatures. E.g. we're working to
> make it work flawlessly on the GNOME desktop.
So you're working with Debian/upstream to integrate OpenPGP verification
better into the operating system?