154-automatic-updates.txt 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377
  1. Filename: 154-automatic-updates.txt
  2. Title: Automatic Software Update Protocol
  3. Author: Matt Edman
  4. Created: 30-July-2008
  5. Status: Superseded
  6. Target: 0.2.1.x
  7. Superseded by thandy-spec.txt
  8. Scope
  9. This proposal specifies the method by which an automatic update client can
  10. determine the most recent recommended Tor installation package for the
  11. user's platform, download the package, and then verify that the package was
  12. downloaded successfully. While this proposal focuses on only the Tor
  13. software, the protocol defined is sufficiently extensible such that other
  14. components of the Tor bundles, like Vidalia, Polipo, and Torbutton, can be
  15. managed and updated by the automatic update client as well.
  16. The initial target platform for the automatic update framework is Windows,
  17. given that's the platform used by a majority of our users and that it lacks
  18. a sane package management system that many Linux distributions already have.
  19. Our second target platform will be Mac OS X, and so the protocol will be
  20. designed with this near-future direction in mind.
  21. Other client-side aspects of the automatic update process, such as user
  22. interaction, the interface presented, and actual package installation
  23. procedure, are outside the scope of this proposal.
  24. Motivation
  25. Tor releases new versions frequently, often with important security,
  26. anonymity, and stability fixes. Thus, it is important for users to be able
  27. to promptly recognize when new versions are available and to easily
  28. download, authenticate, and install updated Tor and Tor-related software
  29. packages.
  30. Tor's control protocol [2] provides a method by which controllers can
  31. identify when the user's Tor software is obsolete or otherwise no longer
  32. recommended. Currently, however, no mechanism exists for clients to
  33. automatically download and install updated Tor and Tor-related software for
  34. the user.
  35. Design Overview
  36. The core of the automatic update framework is a well-defined file called a
  37. "recommended-packages" file. The recommended-packages file is accessible via
  38. HTTP[S] at one or more well-defined URLs. An example recommended-packages
  39. URL may be:
  40. https://updates.torproject.org/recommended-packages
  41. The recommended-packages document is formatted according to Section 1.2
  42. below and specifies the most recent recommended installation package
  43. versions for Tor or Tor-related software, as well as URLs at which the
  44. packages and their signatures can be downloaded.
  45. An automatic update client process runs on the Tor user's computer and
  46. periodically retrieves the recommended-packages file according to the method
  47. described in Section 2.0. As described further in Section 1.2, the
  48. recommended-packages file is signed and can be verified by the automatic
  49. update client with one or more public keys included in the client software.
  50. Since it is signed, the recommended-packages file can be mirrored by
  51. multiple hosts (e.g., Tor directory authorities), whose URLs are included in
  52. the automatic update client's configuration.
  53. After retrieving and verifying the recommended-packages file, the automatic
  54. update client compares the versions of the recommended software packages
  55. listed in the file with those currently installed on the end-user's
  56. computer. If one or more of the installed packages is determined to be out
  57. of date, an updated package and its signature will be downloaded from one of
  58. the package URLs listed in the recommended-packages file as described in
  59. Section 2.2.
  60. The automatic update system uses a multilevel signing key scheme for package
  61. signatures. There are a small number of entities we call "packaging
  62. authorities" that each have their own signing key. A packaging authority is
  63. responsible for signing and publishing the recommended-packages file.
  64. Additionally, each individual packager responsible for producing an
  65. installation package for one or more platforms has their own signing key.
  66. Every packager's signing key must be signed by at least one of the packaging
  67. authority keys.
  68. Specification
  69. 1. recommended-packages Specification
  70. In this section we formally specify the format of the published
  71. recommended-packages file.
  72. 1.1. Document Meta-format
  73. The recommended-packages document follows the lightweight extensible
  74. information format defined in Tor's directory protocol specification [1]. In
  75. the interest of self-containment, we have reproduced the relevant portions
  76. of that format's specification in this Section. (Credits to Nick Mathewson
  77. for much of the original format definition language.)
  78. The highest level object is a Document, which consists of one or more
  79. Items. Every Item begins with a KeywordLine, followed by zero or more
  80. Objects. A KeywordLine begins with a Keyword, optionally followed by
  81. whitespace and more non-newline characters, and ends with a newline. A
  82. Keyword is a sequence of one or more characters in the set [A-Za-z0-9-].
  83. An Object is a block of encoded data in pseudo-Open-PGP-style
  84. armor. (cf. RFC 2440)
  85. More formally:
  86. Document ::= (Item | NL)+
  87. Item ::= KeywordLine Object*
  88. KeywordLine ::= Keyword NL | Keyword WS ArgumentChar+ NL
  89. Keyword ::= KeywordChar+
  90. KeywordChar ::= 'A' ... 'Z' | 'a' ... 'z' | '0' ... '9' | '-'
  91. ArgumentChar ::= any printing ASCII character except NL.
  92. WS ::= (SP | TAB)+
  93. Object ::= BeginLine Base-64-encoded-data EndLine
  94. BeginLine ::= "-----BEGIN " Keyword "-----" NL
  95. EndLine ::= "-----END " Keyword "-----" NL
  96. The BeginLine and EndLine of an Object must use the same keyword.
  97. In our Document description below, we also tag Items with a multiplicity in
  98. brackets. Possible tags are:
  99. "At start, exactly once": These items MUST occur in every instance of the
  100. document type, and MUST appear exactly once, and MUST be the first item in
  101. their documents.
  102. "Exactly once": These items MUST occur exactly one time in every
  103. instance of the document type.
  104. "Once or more": These items MUST occur at least once in any instance
  105. of the document type, and MAY occur more than once.
  106. "At end, exactly once": These items MUST occur in every instance of
  107. the document type, and MUST appear exactly once, and MUST be the
  108. last item in their documents.
  109. 1.2. recommended-packages Document Format
  110. When interpreting a recommended-packages Document, software MUST ignore
  111. any KeywordLine that starts with a keyword it doesn't recognize; future
  112. implementations MUST NOT require current automatic update clients to
  113. understand any KeywordLine not currently described.
  114. In lines that take multiple arguments, extra arguments SHOULD be
  115. accepted and ignored.
  116. The currently defined Items contained in a recommended-packages document
  117. are:
  118. "recommended-packages-format" SP number NL
  119. [Exactly once]
  120. This Item specifies the version of the recommended-packages format that
  121. is contained in the subsequent document. The version defined in this
  122. proposal is version "1". Subsequent iterations of this protocol MUST
  123. increment this value if they introduce incompatible changes to the
  124. document format and MAY increment this value if they only introduce
  125. additional Keywords.
  126. "published" SP YYYY-MM-DD SP HH:MM:SS NL
  127. [Exactly once]
  128. The time, in GMT, when this recommended-packages document was generated.
  129. Automatic update clients SHOULD ignore Documents over 60 days old.
  130. "tor-stable-win32-version" SP TorVersion NL
  131. [Exactly once]
  132. This keyword specifies the latest recommended release of Tor's "stable"
  133. branch for the Windows platform that has an installation package
  134. available. Note that this version does not necessarily correspond to the
  135. most recently tagged stable Tor version, since that version may not yet
  136. have an installer package available, or may have known issues on
  137. Windows.
  138. The TorVersion field is formatted according to Section 2 of Tor's
  139. version specification [3].
  140. "tor-stable-win32-package" SP Url NL
  141. [Once or more]
  142. This Item specifies the location from which the most recent
  143. recommended Windows installation package for Tor's stable branch can be
  144. downloaded.
  145. When this Item appears multiple times within the Document, automatic
  146. update clients SHOULD select randomly from the available package
  147. mirrors.
  148. "tor-dev-win32-version" SP TorVersion NL
  149. [Exactly once]
  150. This Item specifies the latest recommended release of Tor's
  151. "development" branch for the Windows platform that has an installation
  152. package available. The same caveats from the description of
  153. "tor-stable-win32-version" also apply to this keyword.
  154. The TorVersion field is formatted according to Section 2 of Tor's
  155. version specification [3].
  156. "tor-dev-win32-package" SP Url NL
  157. [Once or more]
  158. This Item specifies the location from which the most recent recommended
  159. Windows installation package and its signature for Tor's development
  160. branch can be downloaded.
  161. When this Keyword appears multiple times within the Document, automatic
  162. update clients SHOULD select randomly from the available package
  163. mirrors.
  164. "signature" NL SIGNATURE NL
  165. [At end, exactly once]
  166. The "SIGNATURE" Object contains a PGP signature (using a packaging
  167. authority signing key) of the entire document, taken from the beginning
  168. of the "recommended-packages-format" keyword, through the newline after
  169. the "signature" Keyword.
  170. 2. Automatic Update Client Behavior
  171. The client-side component of the automatic update framework is an
  172. application that runs on the end-user's machine. It is responsible for
  173. fetching and verifying a recommended-packages document, as well as
  174. downloading, verifying, and subsequently installing any necessary updated
  175. software packages.
  176. 2.1. Download and verify a recommended-packages document
  177. The first step in the automatic update process is for the client to download
  178. a copy of the recommended-packages file. The automatic update client
  179. contains a (hardcoded and/or user-configurable) list of URLs from which it
  180. will attempt to retrieve a recommended-packages file.
  181. Connections to each of the recommended-packages URLs SHOULD be attempted in
  182. the following order:
  183. 1) HTTPS over Tor
  184. 2) HTTP over Tor
  185. 3) Direct HTTPS
  186. 4) Direct HTTP
  187. If the client fails to retrieve a recommended-packages document via any of
  188. the above connection methods from any of the configured URLs, the client
  189. SHOULD retry its download attempts following an exponential back-off
  190. algorithm. After the first failed attempt, the client SHOULD delay one hour
  191. before attempting again, up to a maximum of 24 hours delay between retry
  192. attempts.
  193. After successfully downloading a recommended-packages file, the automatic
  194. update client will verify the signature using one of the public keys
  195. distributed with the client software. If more than one recommended-packages
  196. file is downloaded and verified, the file with the most recent "published"
  197. date that is verified will be retained and the rest discarded.
  198. 2.2. Download and verify the updated packages
  199. The automatic update client next compares the latest recommended package
  200. version from the recommended-packages document with the currently installed
  201. Tor version. If the user currently has installed a Tor version from Tor's
  202. "development" branch, then the version specified in "tor-dev-*-version" Item
  203. is used for comparison. Similarly, if the user currently has installed a Tor
  204. version from Tor's "stable" branch, then the version specified in the
  205. "tor-stable-*version" Item is used for comparison. Version comparisons are
  206. done according to Tor's version specification [3].
  207. If the automatic update client determines an installation package newer than
  208. the user's currently installed version is available, it will attempt to
  209. download a package appropriate for the user's platform and Tor branch from a
  210. URL specified by a "tor-[branch]-[platform]-package" Item. If more than one
  211. mirror for the selected package is available, a mirror will be chosen at
  212. random from all those available.
  213. The automatic update client must also download a ".asc" signature file for
  214. the retrieved package. The URL for the package signature is the same as that
  215. for the package itself, except with the extension ".asc" appended to the
  216. package URL.
  217. Connections to download the updated package and its signature SHOULD be
  218. attempted in the same order described in Section 2.1.
  219. After completing the steps described in Sections 2.1 and 2.2, the automatic
  220. update client will have downloaded and verified a copy of the latest Tor
  221. installation package. It can then take whatever subsequent platform-specific
  222. steps are necessary to install the downloaded software updates.
  223. 2.3. Periodic checking for updates
  224. The automatic update client SHOULD maintain a local state file in which it
  225. records (at a minimum) the timestamp at which it last retrieved a
  226. recommended-packages file and the timestamp at which the client last
  227. successfully downloaded and installed a software update.
  228. Automatic update clients SHOULD check for an updated recommended-packages
  229. document at most once per day but at least once every 30 days.
  230. 3. Future Extensions
  231. There are several possible areas for future extensions of this framework.
  232. The extensions below are merely suggestions and should be the subject of
  233. their own proposal before being implemented.
  234. 3.1. Additional Software Updates
  235. There are several software packages often included in Tor bundles besides
  236. Tor, such as Vidalia, Privoxy or Polipo, and Torbutton. The versions and
  237. download locations of updated installation packages for these bundle
  238. components can be easily added to the recommended-packages document
  239. specification above.
  240. 3.2. Including ChangeLog Information
  241. It may be useful for automatic update clients to be able to display for
  242. users a summary of the changes made in the latest Tor or Tor-related
  243. software release, before the user chooses to install the update. In the
  244. future, we can add keywords to the specification in Section 1.2 that specify
  245. the location of a ChangeLog file for the latest recommended package
  246. versions. It may also be desirable to allow localized ChangeLog information,
  247. so that the automatic update client can fetch release notes in the
  248. end-user's preferred language.
  249. 3.3. Weighted Package Mirror Selection
  250. We defined in Section 1.2 a method by which automatic update clients can
  251. select from multiple available package mirrors. We may want to add a Weight
  252. argument to the "*-package" Items that allows the recommended-packages file
  253. to suggest to clients the probability with which a package mirror should be
  254. chosen. This will allow clients to more appropriately distribute package
  255. downloads across available mirrors proportional to their approximate
  256. bandwidth.
  257. Implementation
  258. Implementation of this proposal will consist of two separate components.
  259. The first component is a small "au-publish" tool that takes as input a
  260. configuration file specifying the information described in Section 1.2 and a
  261. private key. The tool is run by a "packaging authority" (someone responsible
  262. for publishing updated installation packages), who will be prompted to enter
  263. the passphrase for the private key used to sign the recommended-packages
  264. document. The output of the tool is a document formatted according to
  265. Section 1.2, with a signature appended at the end. The resulting document
  266. can then be published to any of the update mirrors.
  267. The second component is an "au-client" tool that is run on the end-user's
  268. machine. It periodically checks for updated installation packages according
  269. to Section 2 and fetches the packages if necessary. The public keys used
  270. to sign the recommended-packages file and any of the published packages are
  271. included in the "au-client" tool.
  272. References
  273. [1] Tor directory protocol (version 3),
  274. https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/dir-spec.txt
  275. [2] Tor control protocol (version 2),
  276. https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/control-spec.txt
  277. [3] Tor version specification,
  278. https://tor-svn.freehaven.net/svn/tor/trunk/doc/spec/version-spec.txt