Add the ability to use an alternative download location

[Phoul]

Since many places block TorProject.org, it would be useful for the launcher to accept TorProject mirrors as alternative download locations.

[micahflee]

Here's a list of mirrors: https://www.torproject.org/getinvolved/mirrors.html.en

This could be an option in the settings dialogue, but it would require that TBL maintains it's own list of mirrors, since it can't query torproject.org to get an updated list. Pull requests welcome :).

[micahflee]

We're currently doing certificate pinning to https://www.torproject.org (#1), which means that if we use any https mirrors they'll throw a cert error if they're not using the same *.torproject.org cert. This can definitely be worked around, but just a heads up about it.

https://www.torproject.org/getinvolved/mirrors.html.en currently has 10 mirrors that are listed as "Up to date", and the rest are out of date. We could implement this feature just by hard-coding those 10 up-to-date mirrors in TBL, and updating that hardcoded list in later versions if new mirrors appear and are up-to-date, or if old mirrors stop working.

Of the 10 up-to-date mirrors, 5 of them offer both http and https and the other 5 only offer http. Maybe the mirrors that offer both http and https should be listed as separate mirrors? e.g.:

http://www.torservers.net/mirrors/torproject.org/dist/
https://www.torservers.net/mirrors/torproject.org/dist/

Maybe this hard-coded list of mirrors can be a setting in the settings dialog, so people can manually choose their mirror.

Additionally, if there's a cert verification error for https://www.torproject.org/, or if there's a signature verification error after downloading that .tar.gz and .sig, you can have the option to pick a new random mirror and retry.

The biggest issue I see is if the stability of the mirrors. If this goes into Debian stable it's possible that the built-in mirror list could be outdated for months before a new update replaces it. That hopefully won't be that big of an issue.

[micahflee]

The only problem with this now is that the URL that is loaded to check for updates, https://check.torproject.org/RecommendedTBBVersions, isn't available in any of the mirrors. This should maybe change, but as it stands if your TBB is out of date you are required to update.

[Phoul]

One thing that could be done to prevent issues with outdated mirrors is allowing users to enter their own mirrors. Many of the mirrors listed on the website seem to change their status rather frequently.

Currently, if a user contacts the help desk and cannot retrieve Tor from the website, we give them a couple mirrors to try. If it were possible to give them the same mirrors and say "Plug these into TorBrowser-Launcher and try the update again" that would be even better.