Univesal identical updates

It may be better I don’t tell what is main fear unless Ubuntu people want to mention that. I suggest adding optional system that verifies updates’ checksums through completely IP hidding proxy like Tor.
Notes:

  1. Tor is slow for downloading whole files
  2. if this system set to be unchangeable by updates it can checks previously installed updates that downloaded through a method that has revealed user’s country to Ubuntu (for example by a betraying VPN)
  3. Downloading whole file through Tor for example. will cause problems like dangerous users targeting

About installation media, the user itself manually can check its checksum using above method.

I forgot to add:

3.And downloading whole file through Tor for example. will cause problems like dangerous users targeting

About installation media, the user itself manually can check its checksum using above method.

Were Ubuntu and governments cooperating, then routing checksums through Tor would seem a waste of effort for several reasons.

Checksums are not the primary form of package authentication. Start with https://debian-handbook.info/browse/stable/sect.package-authentication.html for a decent primer.

Oh, and in Discourse, you can edit your posts.

1 Like

I know that Ubuntu OS checks updates signatures. The system I offer is for assuring users in china receive same updates as in UK.
Consider that user can do these checks by this system several times through different VPNs or proxies (not only Tor)

That’s exactly what we already have in place. If the package isn’t authentic, then apt says so. Simple as that.

I removed the reason it is necessary, so I don’t blame you that you didn’t understand what is problem here. I think I can mention that, but only after these 3 examples (I was able to use a lot more simple and non paranoid example but I thinks this ones are better considering addressee)
These are some groups that government persons may don’t like

  1. Whistle-blowers
  2. Before mentioning this group, consider some in the government think psycho stimulants are good for science. Second group are those who spread stories like below one and they are OK to be bio assassinated based on their age, degree or maybe race. The story: There was 3 companies that was producing caffeine test strips for drinks for those who don’t trust waitress in coffee shop or companies to give them real decaf coffee. All of them have stopped there work one of them even before distribution of its products non of these companies even not tried kick-starters.
  3. Consider you have for example terminal illness, And you think you should have at least access to non invasive test kits because doctors think you has became load on society shoulders and don’t give you on-time diagnosis so you will pay more for harder treatments after disease progressed. and you start a campaign about medical Liberation (You want to remain annomyouse until time you became popular). Consider government rich persons think same about you. They have enough money to have their own labs so they will not have same problem as you. (There are lots cheap easy to use test cassettes that not available to patients, only labs allowed to have them)

At last The problem it is cooperation of Ubuntu and governments for sending spying update packages (I can tell you there are methods that they don’t be caught by IT experts)

(I re-sending this because I mentioned it incorrectly first time)

This technique is for avoiding Ubuntu cooperation with governments that there is less chance of independent security firms in their countries.
I suggest adding an option that user can verifies updates and packages checksum through a proxy or VPN, that previously installed or are installing
Notes:

  1. This verification system should be unchangeable by updates, so it can checks previously installed updates that downloaded through a method that has revealed user’s country to Ubuntu (for example by a betraying VPN)
  2. Downloading whole file through proxies (Tor for example). will cause problems like potential activist targeting
  3. About installation media, the user itself manually can check its checksum using above method.

An alternative could be a P2P system for verifying all peers have same history of ckecksums
I think it would be reverse to what BitTorrent is. But in this mode coperation of users that download updates should be mandatory. otherwise there would be trust problem.

At least what this system have is, someone in china will not worry the first auto update happened with direct internet or does that update previous week downloaded with a loyal proxy

Instead of informing Ubuntu staff which may cause evil idea in powerful hands. I decided to start this project my self but I have to hire programmer so I started this crowdfunding
https://fundrazr.com/21N6Pe

P.S. please see my other projects, too e.g. https://fundrazr.com/71MEE3