[tor-bugs] #12871 [RPM packaging]: RPM repo data is not signed and documentation misses repo_gpgcheck

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 15 12:05:17 UTC 2014


#12871: RPM repo data is not signed and documentation misses repo_gpgcheck
---------------------------+-------------------------
 Reporter:  cypherpunks    |          Owner:  marlowe
     Type:  defect         |         Status:  new
 Priority:  normal         |      Milestone:
Component:  RPM packaging  |        Version:
 Keywords:                 |  Actual Points:
Parent ID:                 |         Points:
---------------------------+-------------------------
 The torproject RPM repos do not provide signed repomd.xml files
 (repomd.xml.asc) this would allow attacker to 'hide' updates [1].


 From the yum.conf manpage [2]

 //repo_gpgcheck Either '1' or '0'. This tells yum whether or not it should
 perform a GPG signature check on the repodata. When this is set in the
 [main] section it sets the default for all repositories. The default is
 '0'.//

 Once you provide repomd.xml.asc files please update [3].

 [1] https://lwn.net/Articles/327847/
 [2] http://linux.die.net/man/5/yum.conf
 [3] https://www.torproject.org/docs/rpms.html.en

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12871>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list