Re: [Tails-dev] About the download and verification of test …

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] About the download and verification of test images
Hi,

first of all: thanks a lot for working on improving this key step of
Tails user experience, and in particular of first-time UX!

I'm sorry it took me a month to reply. I've been busy with work, and
also with spending great time to avoid working too much.

Also, I'm concerned that so few of us have time to spend on this
questions from the technical/security PoV, which hasn't been
motivating me to reply promptly. I'll be the one to do it once more,
because hey, our dear UX/web/design/doc people will have to make
a decision anyway, so better have at least another pair of eyes with
a different skillset look at it. I'd love to see us improve the UX/dev
interface in the future, though. I think that all parties have
something to learn, something to gain, and some things to improve on
this topic. Time to re-read the notes from our 2015 summit about
it? :)

sajolida wrote (12 Jan 2016 15:47:16 GMT) :
> As part of our work on integrating the new installation assistant and
> ISO verification extension in the rest of the website, we need to decide
> how to advertise the download and verification of test ISO images as
> these ones won't be available through the ISO verification extension
> (the extension only allows downloading the latest official ISO image).


> Until now we were using buttons to the direct download of ISO images and
> their signature. See for example
> https://tails.boum.org/news/test_2.0-beta1/index.en.html.


[snipping bits about OpenPGP verification -- anyone who cares, this is
now #11027, that is a related but quite broader topic]

> Does this sound reasonable to you for test images?


When reading this initially I didn't understand what was the actual
proposal, and am still struggling to find it in the message I'm
replying to. But it's my bad in the end: I've asked clarifications to
sajolida last month about it, and failed to take note of his reply, so
I'm kinda back to square one. Oops, sorry!

So please take my comments with a grain of salt, it's entirely
possible that I misunderstood what is the exact proposal we
should discuss.

In principle, I'm totally fine with _not_ integrating test images into
the installation assistant (IA). I have three half-good reasons to think
it's OK:

* We clearly state that such images are not as trustworthy as actual
releases, which (I guess) implies that most users who choose to
test them entrust them with sensitive data, which implies that
a poor verification process is no big deal in most cases.

* Our dear IA/DAVE team has already spent much more time than planned
on producing the great thing that is live on our website.

 * I expect mostly power-users to try our test images, so hopefully
   they will be able to download, verify and install them in some
   other way:
    - download: direct link to the ISO is enough
    - verify: see below
    - install: I think it's fair enough to assume that the majority of
      thetarget user base of these test images will know how to do
      this; I'll leave it as an exercice for our dear sajolida to find
      out how to nicely convey this message in calls for testing we
      issue :)


>From my perspective, none of these reasons would be fully convincing

in itself, but all added up the conclusion totally makes sense to me.

I find it important that we preserve the ability, for skilled users
who desire so, to verify such an image with a proper cryptographic
trust path leading from Tails developers to the end-user. I don't mean
to interfere with the IA/DAVE team's work, in terms of how exactly
this is implemented, so I'll stick to phrase what I think we should do
at this abstraction level. For the mere purpose of illustrating why
I say "preserve" above, not meaning the need has to be satisfied
exactly this way forever and ever: currently we provide this ability
thanks to a detached OpenPGP signature, made with a key whose security
and usage policy is well thought and advertised, and that is pretty
well linked to the OpenPGP web-of-trust.

> As an improvement, shall we point people to
> https://archive.torproject.org/ when downloading these?


If the administrators of this service are fine with it, why not: it
will give better download verification for non-power-users. But then
these very same people might be stuck with a nice ISO image and no
documentation about how to install it (see above). There's certainly
a set of Tails users who know by heart how to install an ISO without
any doc, but don't know how to use the WoT, and are keen to try our
test images, but all in all I'm not sure the advantage it's worth the
effort. I say: your time+energy, your call.

Minor implementation detail: last time I checked carefully, only one
of the two mirrors behind this hostname was serving our stuff, which
is why (last time I checked) only one of those was in our round-robin
pool of HTTP mirrors. If it's still the case, then we cannot do what
you propose. This situation may very well have changed, I dunno.

sajolida wrote (13 Jan 2016 11:55:33 GMT) :
> Now I see that anonym reported #10915: "Consider publishing torrents for
> betas and RCs" which would work great to solve the basic download
> verification problem. I'm all for it.


Indeed, this would be another way to improve security for the "set of
Tails users who know by heart how to install an ISO without any doc,
but don't know how to use the WoT, and are keen to try our test
images". And regardless, as we see on #10915 we have good reasons to
do so anyway. Let's do it. sajolida, will your team take it as part of
the question this thread is about, or shall we organize
things differently?

Thanks again!

Cheers,
--
intrigeri