Thanks for the background, I got the sense that the author had an axe to grind.
Still, I seem to recall that when the tor browser auto-update mechanism was deployed, the idea was that HTTPS with pinning was only the first step, and that going forward the updater would also check PGP signatures. It's a bit disappointing to see that hasn't happened yet.
Especially with reproducible builds and several trusted signers independently verifying the built binaries and signing the resulting package, this would add considerable security to the update process.
Still, I seem to recall that when the tor browser auto-update mechanism was deployed, the idea was that HTTPS with pinning was only the first step, and that going forward the updater would also check PGP signatures. It's a bit disappointing to see that hasn't happened yet.
Especially with reproducible builds and several trusted signers independently verifying the built binaries and signing the resulting package, this would add considerable security to the update process.