[tor-bugs] #8525 [Tor bundles/installation]: ask build dependency maintainers to get HTTPS and GPG

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 4 17:30:30 UTC 2013


#8525: ask build dependency maintainers to get HTTPS and GPG
--------------------------------------+-------------------------------------
 Reporter:  proper                    |          Owner:  erinn
     Type:  enhancement               |         Status:  new  
 Priority:  normal                    |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:  #8288
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------

Comment(by proper):

 I have reason to believe, that not all project maintainers (any project,
 any genre) are aware of the risks of not using gpg. This can be part of a
 message template when contacting them:

 > It's useful in case [http://www.extremetech.com/computing/120981-github-
 hacked-millions-of-projects-at-risk-of-being-modified-or-deleted github
 gets hacked] again in case [https://en.wikipedia.org/wiki/DigiNotar SSL
 CA's get] hacked [http://www.scmagazine.com/two-more-comodo-resellers-
 owned-in-ssl-hack/article/199620/ again].

 > zlib is on github, so perhaps we could use that to make a tarball
 ourselves... even tho that would kind of suck.
 https://github.com/madler/zlib

 What if they provided signed git tags?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8525#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list