mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 23:53:32 +01:00
40 lines
1.3 KiB
Plaintext
40 lines
1.3 KiB
Plaintext
|
|
||
|
Notes on an auto updater:
|
||
|
|
||
|
steve wants a "latest" symlink so he can always just fetch that.
|
||
|
|
||
|
roger worries that this will exacerbate the "what version are you
|
||
|
using?" "latest." problem.
|
||
|
|
||
|
weasel suggests putting the latest recommended version in dns. then
|
||
|
we don't have to hit the website. it's got caching, it's lightweight,
|
||
|
it scales. just put it in a TXT record or something.
|
||
|
|
||
|
but, no dnssec.
|
||
|
|
||
|
roger suggests a file on the https website that lists the latest
|
||
|
recommended version (or filename or url or something like that).
|
||
|
|
||
|
(steve seems to already be doing this with xerobank. he additionally
|
||
|
suggests a little blurb that can be displayed to the user to describe
|
||
|
what's new.)
|
||
|
|
||
|
how to verify you're getting the right file?
|
||
|
a) it's https.
|
||
|
b) ship with a signing key, and use some openssl functions to verify.
|
||
|
c) both
|
||
|
|
||
|
andrew reminds us that we have a "recommended versions" line in the
|
||
|
consensus directory already.
|
||
|
|
||
|
if only we had some way to point out the "latest stable recommendation"
|
||
|
from this list. we could list it first, or something.
|
||
|
|
||
|
the recommended versions line also doesn't take into account which
|
||
|
packages are available -- e.g. on Windows one version might be the best
|
||
|
available, and on OS X it might be a different one.
|
||
|
|
||
|
aren't there existing solutions to this? surely there is a beautiful,
|
||
|
efficient, crypto-correct auto updater lib out there. even for windows.
|
||
|
|