Runa A Sandvik asked me a question on Twitter:
— Runa A. Sandvik (@runasand) October 30, 2014
The answer to that question is a little too complex for Twitter, so I am going to respond to it here.
First of all, the firmware upgrade process have been described in details in an earlier news post. While it is technically possible to upgrade individual packages in OpenWrt, there are a number of issues with that (possible man-in-the-middle attack and dependency problems). The before mentioned news post also explains why we do not believe automatic updates would be a good idea.
As for maintaining Tor as part of the Cloak firmware build, there is actually currently not much maintenance to do. Tor compiles cleanly in the OpenWrt buildroot environment and needs no patching whatsoever to operate on the Cloak device. Providing the next version of Tor compiles cleanly, upgrading the Cloak firmware source will be a simple matter of updating a version number and a MD5 sum in a makefile (see our Github source here).
---------------- PKG_NAME:=tor-cloak PKG_VERSION:=0.2.4.24 PKG_RELEASE:=1 PKG_SOURCE:=tor-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.torproject.org/dist \ https://archive.torproject.org/tor-package-archive PKG_MD5SUM:=9acb86b529f0f48cc495da3801f85d1f ----------------
I have actually just tried building Cloak with the latest release candidate based on tor-0.2.5.8-rc.tar.gz and that version still builds cleanly.
We are building OpenWrt itself directly from the Git source tree and always include the latest security updates. This means that we will be releasing firmware updates for Cloak regularly. The exact release cycle has not been determined yet, but personally I do imagine a rolling update system a bit like Debian – most probably a Stable build and a Daily (or Weekly) automated build.
I hope this post assure everybody who is concerned about stale firmware in Cloak that we will be actively updating and – perhaps most important – that there will be no need for a separate fork of the Tor software itself.