I notice that when you click to download a file it wants to download from dist.torproject.org, rather than the .onion.
This differs from, say, the OnionShare website .onion, where when you download
a file it downloads from the .onion.
Would it be possible to change the download behavior at the torproject.org .onion’s download
page to download from the .onion rather than pivot to downloading at dist.torproject.org?
When you click download, the external file type? popup comes up
that window is replaced by a window saying the location of the .msi
file is from the .onion location and not clear net.
#################
“Hovering” over the Tor Browser link may suggest it is downloading from the .onion
but for Tor Browser it isn’t, for OnionShare it is. Unless, of course, I am wrong
somehow.
#################
Edit: My thread title should read: “Tor Browser” rather than simply “Tor.”
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://dist.torproject.org/torbrowser/11.0.7/torbrowser-install-win64-11.0.7_en-US.exe">here</a>.</p>
<hr>
<address>Apache Server at 2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion Port 80</address>
</body></html>
Look at the line “The document has moved”, in my mind this suggests the onion URL is just a shortcut to /dist.torproject.org/…
So this is not a bug at all, but the way they organize downloads. The actual files seem not to be hosted on the .onion server, but on dist.torproject.org
So, this is not bug, this is just a redirection of the .onion URL to the real download target. They seem to not host their files on the .onion server, that´s all.
“this is just a redirection of the .onion URL to the real download target. They seem to not host their files on the .onion server, that´s all.”
Yes, this is why I used the word, “pivot” in my Original Post.
“So, this is not bug”
I disagree. In your original post to this thread you said, “And as you can see, it fetches it from the .onion domain. To me it looks ok…” A user is on an .onion site, and for the most part, they believe a file downloaded while at the .onion site should be at the .onion site. Do you see how easily it is to misunderstand this prior to doing any checking other than “hovering?”
I believe this is a bug. I pointed out my example with the OnionShare site .onion and how their file(s) are being served by the .onion and not “pivoting” to clear net.
I’m not familiar enough with GitLab or else I’d file a bug for this. Some may not agree with me and just say that’s how the site works, deal with it, or use kinder words. But, as I pointed out with the OnionShare site’s .onion, if you’re going to point to a file(s) on an .onion, it should actually be hosted via the .onion!
Should this not be considered a bug, there should be a CLEAR WARNING for the user(s) that the file(s) are not actually being hosted on an .onion but on clear net, BEFORE they begin the download.
Thanks for your post, your efforts, and your response. Have a beautiful day!
Thanks very much for opening the ticket and for quoting+linking back here to this thread.
I also appreciate you pointing out to us the dist.tpo .onion service and the TP .onion services site. I was familiar with that site but I didn’t think to search for dist.tpo there! I know where I’ll be downloading future releases from until this is fixed!
I’ll leave this thread opened until resolved for further info/comments should any arise.