[tor-bugs] #12871 [RPM packaging]: RPM repo data is not signed and documentation misses repo_gpgcheck
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 12 21:22:05 UTC 2014
#12871: RPM repo data is not signed and documentation misses repo_gpgcheck
-------------------------------+----------------------
Reporter: cypherpunks | Owner: hiviah
Type: defect | Status: assigned
Priority: normal | Milestone:
Component: RPM packaging | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-------------------------------+----------------------
Comment (by cypherpunks):
Just in case you are interested in knowing how official Fedora repos
handle that issue:
Fedora repos work around that problem with HTTPS. They ship the hashes of
repomd.xml via HTTPS and download it over HTTP without actually using
repo_gpgcheck at all. So I would suggest that you replace "http" with
"https" on
https://www.torproject.org/docs/rpms.html.en
thanks!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12871#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list