[tor-dev] repo: TLS vs. GPG signed files (#12871)
BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES at bitmessage.ch
Thu Oct 23 22:37:16 UTC 2014
[I felt it is better to discuss this via email if you feel otherwise
feel free to move the discussion back to trac.]
even though it was also me requesting the use of HTTPS for the repos 
- and I'm glad it has been (partially) accepted and implemented I do not
follow your comment that HTTPS is "better" than repo_gpgcheck .
It is my opinion that even in the case of HTTPS GPG signatures provide a
security improvement since (I hope) the private GPG key used to sign the
repo is less exposed than the wildcard certificate for *.tpo.
(I filed #13553  to address rogue CAs / certificate pinning for yum.)
Could you elaborate on your issue regarding repo_gpgcheck not showing
fingerprints? (It does show the gpg key fingerprint on a fc20 system
after adding repo_gpgcheck=1 and running 'yum update' ).
thanks for providing and maintaining the RPM repo,
Importing GPG key 0x5AC001F1:
Userid : "torproject.org RPM signing key"
Fingerprint: 3b9e eeb9 7b1e 827b cf0a 0d96 8af5 653c 5ac0 01f1
Is this ok [y/N]:
More information about the tor-dev