[tor-bugs] #5260 [Company]: Make ldap account for marlowe

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sun Mar 4 20:11:25 UTC 2012


#5260: Make ldap account for marlowe
---------------------+------------------------------------------------------
 Reporter:  marlowe  |          Owner:  weasel
     Type:  task     |         Status:  new   
 Priority:  normal   |      Milestone:        
Component:  Company  |        Version:        
 Keywords:           |         Parent:        
   Points:           |   Actualpoints:        
---------------------+------------------------------------------------------

Comment(by mikeperry):

 marlowe: I've developed a magical ritual that should obviate the need to
 get your papers inspected and your orifices sniffed by concentric rings of
 unwashed beardos:

 1. Post a url here to something signed with your key (preferably wherever
 you are currently hosting your rpm prototypes).
 2. Verify your own signature yourself from two or more different tor
 circuits, to ensure you weren't MITM'd on your end.
 3. We'll perform the same verification on our side, to ensure we see the
 same key.

 All we really care about in terms of key authentication is that whoever is
 building rpms is the same person as who was volunteering to do so. We
 don't really care about your name or your government-issued ID. Or at
 least we shouldn't...

 However, for my own peace of mind, it would be nice if we could find some
 way to authenticate that the rpms you produce actually come directly from
 the git sources. Ie: someone else can take the .spec file, the sources
 from git, and the patch set and build an identical rpm on a clean VM with
 the same sha1sum. See #3688.

 I'm not sure how we can do this and also have signed rpms, though.. But
 maybe there is a way to strip the signature from an RPM and then take the
 sha1sum?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5260#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list