[tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 9 15:21:44 UTC 2014 

#5463: BridgeDB must GPG-sign outgoing mails
-----------------------------+----------------------------
     Reporter:  rransom      |      Owner:  isis
         Type:  enhancement  |     Status:  needs_review
     Priority:  normal       |  Milestone:
    Component:  BridgeDB     |    Version:
   Resolution:               |   Keywords:  bridgegb-email
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------------
Changes (by isis):

 * status:  needs_revision => needs_review


Comment:

 This is fixed, and there are unittests for problems encountered, in my
 `fix/5463-7547-7550-8241-11475-11753-email-rewrite`
 [https://gitweb.torproject.org/user/isis/bridgedb.git/shortlog/refs/heads/fix/5463-7547-7550-8241-11475-11753
 -email-rewrite branch] (which
 [https://gitweb.torproject.org/user/isis/bridgedb.git/tree/refs/heads/fix/5463-7547-7550-8241-11475-11753
 -email-rewrite:/lib/bridgedb/email rewrites the entirety] of the old
 `lib/bridgedb/EmailServer.py` module).

 There are additional fixes for the issue where libgpgme was attempting to
 load private keys from the process owner's `$HOME` directory in my
 `fix/5463-gpgme-homedir`
 [https://gitweb.torproject.org/user/isis/bridgedb.git/shortlog/refs/heads/fix/5463
 -gpgme-homedir branch], which is currently based on the
 `fix/5463-7547-7550-8241-11475-11753-email-rewrite` branch and should be
 merged after it. Additionally, since all the strings were changed to be
 (mostly) the same as the ones which are currently in use on the HTTPS
 distributor, there is a `translations/2014-05-07-update`
 [https://gitweb.torproject.org/user/isis/bridgedb.git/shortlog/refs/heads/translations/2014-05-07-update
 branch] which should be merged which updates the gettext `bridgedb.pot`
 file.

 There still is not a mechanism to include the client's email address in
 the signed portion of the message. I'm not exactly sure what adversarial
 behaviours that was intended to protect against.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list