154-automatic-updates.txt 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379
  1. Filename: 154-automatic-updates.txt
  2. Title: Automatic Software Update Protocol
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Matt Edman
  6. Created: 30-July-2008
  7. Status: Superseded
  8. Target: 0.2.1.x
  9. Superseded by thandy-spec.txt
  10. Scope
  11. This proposal specifies the method by which an automatic update client can
  12. determine the most recent recommended Tor installation package for the
  13. user's platform, download the package, and then verify that the package was
  14. downloaded successfully. While this proposal focuses on only the Tor
  15. software, the protocol defined is sufficiently extensible such that other
  16. components of the Tor bundles, like Vidalia, Polipo, and Torbutton, can be
  17. managed and updated by the automatic update client as well.
  18. The initial target platform for the automatic update framework is Windows,
  19. given that's the platform used by a majority of our users and that it lacks
  20. a sane package management system that many Linux distributions already have.
  21. Our second target platform will be Mac OS X, and so the protocol will be
  22. designed with this near-future direction in mind.
  23. Other client-side aspects of the automatic update process, such as user
  24. interaction, the interface presented, and actual package installation
  25. procedure, are outside the scope of this proposal.
  26. Motivation
  27. Tor releases new versions frequently, often with important security,
  28. anonymity, and stability fixes. Thus, it is important for users to be able
  29. to promptly recognize when new versions are available and to easily
  30. download, authenticate, and install updated Tor and Tor-related software
  31. packages.
  32. Tor's control protocol [2] provides a method by which controllers can
  33. identify when the user's Tor software is obsolete or otherwise no longer
  34. recommended. Currently, however, no mechanism exists for clients to
  35. automatically download and install updated Tor and Tor-related software for
  36. the user.
  37. Design Overview
  38. The core of the automatic update framework is a well-defined file called a
  39. "recommended-packages" file. The recommended-packages file is accessible via
  40. HTTP[S] at one or more well-defined URLs. An example recommended-packages
  41. URL may be:
  42. https://updates.torproject.org/recommended-packages
  43. The recommended-packages document is formatted according to Section 1.2
  44. below and specifies the most recent recommended installation package
  45. versions for Tor or Tor-related software, as well as URLs at which the
  46. packages and their signatures can be downloaded.
  47. An automatic update client process runs on the Tor user's computer and
  48. periodically retrieves the recommended-packages file according to the method
  49. described in Section 2.0. As described further in Section 1.2, the
  50. recommended-packages file is signed and can be verified by the automatic
  51. update client with one or more public keys included in the client software.
  52. Since it is signed, the recommended-packages file can be mirrored by
  53. multiple hosts (e.g., Tor directory authorities), whose URLs are included in
  54. the automatic update client's configuration.
  55. After retrieving and verifying the recommended-packages file, the automatic
  56. update client compares the versions of the recommended software packages
  57. listed in the file with those currently installed on the end-user's
  58. computer. If one or more of the installed packages is determined to be out
  59. of date, an updated package and its signature will be downloaded from one of
  60. the package URLs listed in the recommended-packages file as described in
  61. Section 2.2.
  62. The automatic update system uses a multilevel signing key scheme for package
  63. signatures. There are a small number of entities we call "packaging
  64. authorities" that each have their own signing key. A packaging authority is
  65. responsible for signing and publishing the recommended-packages file.
  66. Additionally, each individual packager responsible for producing an
  67. installation package for one or more platforms has their own signing key.
  68. Every packager's signing key must be signed by at least one of the packaging
  69. authority keys.
  70. Specification
  71. 1. recommended-packages Specification
  72. In this section we formally specify the format of the published
  73. recommended-packages file.
  74. 1.1. Document Meta-format
  75. The recommended-packages document follows the lightweight extensible
  76. information format defined in Tor's directory protocol specification [1]. In
  77. the interest of self-containment, we have reproduced the relevant portions
  78. of that format's specification in this Section. (Credits to Nick Mathewson
  79. for much of the original format definition language.)
  80. The highest level object is a Document, which consists of one or more
  81. Items. Every Item begins with a KeywordLine, followed by zero or more
  82. Objects. A KeywordLine begins with a Keyword, optionally followed by
  83. whitespace and more non-newline characters, and ends with a newline. A
  84. Keyword is a sequence of one or more characters in the set [A-Za-z0-9-].
  85. An Object is a block of encoded data in pseudo-Open-PGP-style
  86. armor. (cf. RFC 2440)
  87. More formally:
  88. Document ::= (Item | NL)+
  89. Item ::= KeywordLine Object*
  90. KeywordLine ::= Keyword NL | Keyword WS ArgumentChar+ NL
  91. Keyword ::= KeywordChar+
  92. KeywordChar ::= 'A' ... 'Z' | 'a' ... 'z' | '0' ... '9' | '-'
  93. ArgumentChar ::= any printing ASCII character except NL.
  94. WS ::= (SP | TAB)+
  95. Object ::= BeginLine Base-64-encoded-data EndLine
  96. BeginLine ::= "-----BEGIN " Keyword "-----" NL
  97. EndLine ::= "-----END " Keyword "-----" NL
  98. The BeginLine and EndLine of an Object must use the same keyword.
  99. In our Document description below, we also tag Items with a multiplicity in
  100. brackets. Possible tags are:
  101. "At start, exactly once": These items MUST occur in every instance of the
  102. document type, and MUST appear exactly once, and MUST be the first item in
  103. their documents.
  104. "Exactly once": These items MUST occur exactly one time in every
  105. instance of the document type.
  106. "Once or more": These items MUST occur at least once in any instance
  107. of the document type, and MAY occur more than once.
  108. "At end, exactly once": These items MUST occur in every instance of
  109. the document type, and MUST appear exactly once, and MUST be the
  110. last item in their documents.
  111. 1.2. recommended-packages Document Format
  112. When interpreting a recommended-packages Document, software MUST ignore
  113. any KeywordLine that starts with a keyword it doesn't recognize; future
  114. implementations MUST NOT require current automatic update clients to
  115. understand any KeywordLine not currently described.
  116. In lines that take multiple arguments, extra arguments SHOULD be
  117. accepted and ignored.
  118. The currently defined Items contained in a recommended-packages document
  119. are:
  120. "recommended-packages-format" SP number NL
  121. [Exactly once]
  122. This Item specifies the version of the recommended-packages format that
  123. is contained in the subsequent document. The version defined in this
  124. proposal is version "1". Subsequent iterations of this protocol MUST
  125. increment this value if they introduce incompatible changes to the
  126. document format and MAY increment this value if they only introduce
  127. additional Keywords.
  128. "published" SP YYYY-MM-DD SP HH:MM:SS NL
  129. [Exactly once]
  130. The time, in GMT, when this recommended-packages document was generated.
  131. Automatic update clients SHOULD ignore Documents over 60 days old.
  132. "tor-stable-win32-version" SP TorVersion NL
  133. [Exactly once]
  134. This keyword specifies the latest recommended release of Tor's "stable"
  135. branch for the Windows platform that has an installation package
  136. available. Note that this version does not necessarily correspond to the
  137. most recently tagged stable Tor version, since that version may not yet
  138. have an installer package available, or may have known issues on
  139. Windows.
  140. The TorVersion field is formatted according to Section 2 of Tor's
  141. version specification [3].
  142. "tor-stable-win32-package" SP Url NL
  143. [Once or more]
  144. This Item specifies the location from which the most recent
  145. recommended Windows installation package for Tor's stable branch can be
  146. downloaded.
  147. When this Item appears multiple times within the Document, automatic
  148. update clients SHOULD select randomly from the available package
  149. mirrors.
  150. "tor-dev-win32-version" SP TorVersion NL
  151. [Exactly once]
  152. This Item specifies the latest recommended release of Tor's
  153. "development" branch for the Windows platform that has an installation
  154. package available. The same caveats from the description of
  155. "tor-stable-win32-version" also apply to this keyword.
  156. The TorVersion field is formatted according to Section 2 of Tor's
  157. version specification [3].
  158. "tor-dev-win32-package" SP Url NL
  159. [Once or more]
  160. This Item specifies the location from which the most recent recommended
  161. Windows installation package and its signature for Tor's development
  162. branch can be downloaded.
  163. When this Keyword appears multiple times within the Document, automatic
  164. update clients SHOULD select randomly from the available package
  165. mirrors.
  166. "signature" NL SIGNATURE NL
  167. [At end, exactly once]
  168. The "SIGNATURE" Object contains a PGP signature (using a packaging
  169. authority signing key) of the entire document, taken from the beginning
  170. of the "recommended-packages-format" keyword, through the newline after
  171. the "signature" Keyword.
  172. 2. Automatic Update Client Behavior
  173. The client-side component of the automatic update framework is an
  174. application that runs on the end-user's machine. It is responsible for
  175. fetching and verifying a recommended-packages document, as well as
  176. downloading, verifying, and subsequently installing any necessary updated
  177. software packages.
  178. 2.1. Download and verify a recommended-packages document
  179. The first step in the automatic update process is for the client to download
  180. a copy of the recommended-packages file. The automatic update client
  181. contains a (hardcoded and/or user-configurable) list of URLs from which it
  182. will attempt to retrieve a recommended-packages file.
  183. Connections to each of the recommended-packages URLs SHOULD be attempted in
  184. the following order:
  185. 1) HTTPS over Tor
  186. 2) HTTP over Tor
  187. 3) Direct HTTPS
  188. 4) Direct HTTP
  189. If the client fails to retrieve a recommended-packages document via any of
  190. the above connection methods from any of the configured URLs, the client
  191. SHOULD retry its download attempts following an exponential back-off
  192. algorithm. After the first failed attempt, the client SHOULD delay one hour
  193. before attempting again, up to a maximum of 24 hours delay between retry
  194. attempts.
  195. After successfully downloading a recommended-packages file, the automatic
  196. update client will verify the signature using one of the public keys
  197. distributed with the client software. If more than one recommended-packages
  198. file is downloaded and verified, the file with the most recent "published"
  199. date that is verified will be retained and the rest discarded.
  200. 2.2. Download and verify the updated packages
  201. The automatic update client next compares the latest recommended package
  202. version from the recommended-packages document with the currently installed
  203. Tor version. If the user currently has installed a Tor version from Tor's
  204. "development" branch, then the version specified in "tor-dev-*-version" Item
  205. is used for comparison. Similarly, if the user currently has installed a Tor
  206. version from Tor's "stable" branch, then the version specified in the
  207. "tor-stable-*version" Item is used for comparison. Version comparisons are
  208. done according to Tor's version specification [3].
  209. If the automatic update client determines an installation package newer than
  210. the user's currently installed version is available, it will attempt to
  211. download a package appropriate for the user's platform and Tor branch from a
  212. URL specified by a "tor-[branch]-[platform]-package" Item. If more than one
  213. mirror for the selected package is available, a mirror will be chosen at
  214. random from all those available.
  215. The automatic update client must also download a ".asc" signature file for
  216. the retrieved package. The URL for the package signature is the same as that
  217. for the package itself, except with the extension ".asc" appended to the
  218. package URL.
  219. Connections to download the updated package and its signature SHOULD be
  220. attempted in the same order described in Section 2.1.
  221. After completing the steps described in Sections 2.1 and 2.2, the automatic
  222. update client will have downloaded and verified a copy of the latest Tor
  223. installation package. It can then take whatever subsequent platform-specific
  224. steps are necessary to install the downloaded software updates.
  225. 2.3. Periodic checking for updates
  226. The automatic update client SHOULD maintain a local state file in which it
  227. records (at a minimum) the timestamp at which it last retrieved a
  228. recommended-packages file and the timestamp at which the client last
  229. successfully downloaded and installed a software update.
  230. Automatic update clients SHOULD check for an updated recommended-packages
  231. document at most once per day but at least once every 30 days.
  232. 3. Future Extensions
  233. There are several possible areas for future extensions of this framework.
  234. The extensions below are merely suggestions and should be the subject of
  235. their own proposal before being implemented.
  236. 3.1. Additional Software Updates
  237. There are several software packages often included in Tor bundles besides
  238. Tor, such as Vidalia, Privoxy or Polipo, and Torbutton. The versions and
  239. download locations of updated installation packages for these bundle
  240. components can be easily added to the recommended-packages document
  241. specification above.
  242. 3.2. Including ChangeLog Information
  243. It may be useful for automatic update clients to be able to display for
  244. users a summary of the changes made in the latest Tor or Tor-related
  245. software release, before the user chooses to install the update. In the
  246. future, we can add keywords to the specification in Section 1.2 that specify
  247. the location of a ChangeLog file for the latest recommended package
  248. versions. It may also be desirable to allow localized ChangeLog information,
  249. so that the automatic update client can fetch release notes in the
  250. end-user's preferred language.
  251. 3.3. Weighted Package Mirror Selection
  252. We defined in Section 1.2 a method by which automatic update clients can
  253. select from multiple available package mirrors. We may want to add a Weight
  254. argument to the "*-package" Items that allows the recommended-packages file
  255. to suggest to clients the probability with which a package mirror should be
  256. chosen. This will allow clients to more appropriately distribute package
  257. downloads across available mirrors proportional to their approximate
  258. bandwidth.
  259. Implementation
  260. Implementation of this proposal will consist of two separate components.
  261. The first component is a small "au-publish" tool that takes as input a
  262. configuration file specifying the information described in Section 1.2 and a
  263. private key. The tool is run by a "packaging authority" (someone responsible
  264. for publishing updated installation packages), who will be prompted to enter
  265. the passphrase for the private key used to sign the recommended-packages
  266. document. The output of the tool is a document formatted according to
  267. Section 1.2, with a signature appended at the end. The resulting document
  268. can then be published to any of the update mirrors.
  269. The second component is an "au-client" tool that is run on the end-user's
  270. machine. It periodically checks for updated installation packages according
  271. to Section 2 and fetches the packages if necessary. The public keys used
  272. to sign the recommended-packages file and any of the published packages are
  273. included in the "au-client" tool.
  274. References
  275. [1] Tor directory protocol (version 3),
  276. https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/dir-spec.txt
  277. [2] Tor control protocol (version 2),
  278. https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/control-spec.txt
  279. [3] Tor version specification,
  280. https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/version-spec.txt