Tor Project infrastructure updates in response to security breach

Sebastian Hahn mail at sebastianhahn.net
Thu Jan 21 05:28:08 UTC 2010


On Jan 21, 2010, at 6:25 AM, grarpamp wrote:

> As I wrote someone earlier...
> It would be easier to just sign the git revision hashes at various  
> intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone... git repo maintainers, devels, mirrors, users...
> can all verify the git repo via that signature. Of course the sig  
> key material
> needs to be handled in a sanitary way, but still, it's the idea that  
> matters.
> And git, not svn, would need to be the canonical repo committers  
> commit
> to, etc.

This already happens. Clone the Tor repository, and you'll find a  
signed tag named tor-0.2.2.7-alpha.

Use "git tag -v tor-0.2.2.7-alpha" to check for yourself.

Sebastian
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list