[Pkg-privacy-maintainers] Bug#814432: tails-installer should download and authenticate live ISO images

Thu Feb 11 14:39:39 UTC 2016

Package: tails-installer
Version: 4.4.6+dfsg-1~bpo8+1
Severity: wishlist

I just tried tails-installer from backports today.

I got presented with this dialog:

http://paste.anarc.at/snap-2016.02.11-09.21.24.png

Here, if I click on the "(Aucun)" ("(None)") button below "Use
existing Live system ISO:", I get presented with a file browser.

It is not clear to me what I am expected to do at this point.

I will take a wild guess, and assume I am supposed to go on
https://tails.boum.org/ and download an ISO. But I actually get served
with another Wizard where I need to click through and eventually am
asked to switch web browsers and install a firefox addon or download
some torrent thing.

That all sounds very strange to my insecure little mind.

I am exaggerating, of course, but I was expecting something more like
the tor browser launcher, which actually downloads the software for me
and does the busy things of verifying crypto signatures and
everything. That way there is a trust path between me and the
developpers that does not depend on the CA cartel (as I understand the
current approach seem to depend on).

Maybe such a trust path already exists and the installer does some
more verification later on - I haven't checked in the code (or more
precisely, couldn't find that it does actually check the .sig) and it
doesn't provide any visual feedback that it does check the signature.

But it sure would help in usability if the launcher could download
some stuff on its own. There's a python-libtorrent library in Debian
which could be used to download through bittorrent, even:

http://libtorrent.org/

It is the library behind the Deluge client:

http://deluge-torrent.org/

Some sample code is available from Stack Overflow (CC-BY-SA 3.0):

http://stackoverflow.com/questions/5400828/how-to-write-a-simple-bittorrent-application

This should be fairly simple to implement...

Still: it is a huge improvement to have this software available to
install tails! Previously, setting up Tails was a surprisingly
difficult undertaking and this is a huge leap forward in
usability. Congratulations to everyone involved and thanks!

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tails-installer depends on:
ii  gdisk              0.8.10-2
ii  genisoimage        9:1.1.11-3
ii  gir1.2-glib-2.0    1.42.0-2.2
ii  gir1.2-gtk-3.0     3.14.5-1+deb8u1
ii  gir1.2-udisks-2.0  2.1.3-5
ii  mtools             4.0.18-2
ii  p7zip-full         9.20.1~dfsg.1-4.1+deb8u1
ii  policykit-1        0.105-8
ii  python             2.7.9-1
ii  python-configobj   5.0.6-1
ii  python-gi          3.14.0-1
ii  python-urlgrabber  3.9.1-4.1
ii  syslinux           3:6.03+dfsg-5+deb8u1

tails-installer recommends no packages.

tails-installer suggests no packages.

-- no debconf information