HTTP section - Privoxy install instructions
dr-diem opened this issue · 11 comments
Hi,
I'm the OS X maintainer for Privoxy. The Homebrew recipe for Privoxy installation is weak in a number of regards, chief among which is that it leaves Privoxy running as root which is of course an unnecessary security risk. The supported installer (available at http://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/) does not suffer the weaknesses of the Homebrew recipe (it is also as easy to uninstall and includes complete instructions for configuration and obtaining support). Please could you consider altering the HTTP section of your instructions to point readers to this installer instead of using Homebrew?
Separately, many thanks for creating this guide - I've been reading through it with great interest!
Regards,
Ian Silvester
Are you sure Homebrew leaves privoxy running as root? A quick test shows the launch agent is loaded and job is run as the primary user. This point was brought up in #38. Anyway, I'm glad to add instructions for a manual installation of privoxy as well.
Thank you
You're right, it runs as the installing user not root.
Still and all, my installer creates a non-privileged, non-interative user and group to run as, offering much better security isolation and audit; should that account be compromised the attacker has access to neither an end user account nor the UI. I figured since that was the driving aim of your guide that it'd be a worthwhile improvement to use the packaged installer instead of the Homebrew recipe.
It has the side benefit of course that I can offer better support to end users since I'm intimately familiar with the supported installation package.
I hope you'll consider these good reasons to update the guide.
Cheers,
Ian
On October 29, 2015 10:56:16 AM EDT, drduh notifications@github.com wrote:
Are you sure Homebrew leaves privoxy running as root? A quick test
shows the launch agent is loaded and job is run as the primary user.
This point was brought up in
#38.
Anyway, I'm glad to add instructions for a manual installation of
privoxy as well.Thank you
Reply to this email directly or view it on GitHub:
#65 (comment)
Sourceforge is blocked by uBlock's default ruleset due to their recent badware policy, and the guide recommends uBlock, so it might be a bit contradictory to link to SF. Any alternative host for the installer?
Ha, ironic! How the mighty are fallen! I don't have an alternate location as yet; we have been considering a move to Github as it goes. I'll tell the other maintainers about uBlock's new rule and see if we can accelerate the process.
Thanks for the tip,
Ian
On October 29, 2015 11:30:44 AM EDT, Dominic Evans notifications@github.com wrote:
Sourceforge is blocked by uBlock's default ruleset due to their recent
badware
policy, and the guide recommends uBlock, so it might be a bit
contradictory to link to SF. Any alternative host for the installer?
Reply to this email directly or view it on GitHub:
#65 (comment)
Thank you for the suggestion, Ian. Let me know if you spot any other issues.
Hi again Dominic,
So there is now an alternative download URL for the official Privoxy OS
X installation packages. Please find them here:
http://silvester.org.uk/privoxy_installers/OSX/
Cheers,
Ian
On 2015-10-29 11:30, Dominic Evans wrote:
Sourceforge is blocked by uBlock's default ruleset due to their recent
badware https://duckduckgo.com/?q=sourceforge+installers+malware+mac
policy, and the guide recommends uBlock, so it might be a bit
contradictory to link to SF. Any alternative host for the installer?—
Reply to this email directly or view it on GitHub
#65 (comment).
My PGP public key
http://diem.serveftp.net:8080/IanSilvesterPGPPublicKey.asc.
Hi once again!
I've now modified that URL to:
http://silvester.org.uk/privoxy/OSX/
Also, we're planning to start offering this as an official
non-Sourceforge mirror, so the official project page at www.privoxy.org
will shortly also point here, so you can point folks in this direction
with no worries ;o)
I do hope you decide to update your guide - like I say the supported
installer is a more secure option that Homebrew, and that's the guide's
aim after all!
Cheers,
Ian
On 2015-10-31 18:18, Ian Silvester wrote:
Hi again Dominic,
So there is now an alternative download URL for the official Privoxy
OS X installation packages. Please find them here:http://silvester.org.uk/privoxy_installers/OSX/
Cheers,
Ian
On 2015-10-29 11:30, Dominic Evans wrote:
Sourceforge is blocked by uBlock's default ruleset due to their
recent badware
https://duckduckgo.com/?q=sourceforge+installers+malware+mac
policy, and the guide recommends uBlock, so it might be a bit
contradictory to link to SF. Any alternative host for the installer?—
Reply to this email directly or view it on GitHub
#65 (comment).My PGP public key
http://diem.serveftp.net:8080/IanSilvesterPGPPublicKey.asc.
My PGP public key
http://diem.serveftp.net:8080/IanSilvesterPGPPublicKey.asc.
Please have a look at the updated instructions at https://github.com/drduh/OS-X-Security-and-Privacy-Guide#http and let me know if there's any issues.
Hi Dominic,
Thanks for going ahead with the change, it's much appreciated. The only
alteration I'd suggest, for the sake of full disclosure, is to state
that the installation created by the signed package is more secure than
the Homebrew one and attracts full support from the Privoxy project.
Cheers,
Ian
On 2015-11-04 16:42, drduh wrote:
Please have a look at the updated instructions at
https://github.com/drduh/OS-X-Security-and-Privacy-Guide#http and let
me know if there's any issues.—
Reply to this email directly or view it on GitHub
#65 (comment).
My PGP public key
http://diem.serveftp.net:8080/IanSilvesterPGPPublicKey.asc.
I'm not Dominic, but have gone ahead and made your suggested clarification.
Sorry! Didn't realise there were multiple folks involved on the project.
The clarification is perfect.
Thanks again,
Ian
On 2015-11-04 16:52, drduh wrote:
I'm not Dominic, but have gone ahead and made your suggested
clarification.—
Reply to this email directly or view it on GitHub
#65 (comment).
My PGP public key
http://diem.serveftp.net:8080/IanSilvesterPGPPublicKey.asc.