Tor Project infrastructure updates in response to security breach

Jim Jimmymac at copper.net
Fri Jan 22 03:08:20 UTC 2010



Mike Perry wrote:
> Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
> sign .xpis, but have been sloppy about posting them publicly.

<snip>

> For now, I think the right answer is "Fetch it over SSL" or "Check the
> git/gpg sig".

Could you make a point of publicly posting the .xpi gpg signatures along 
with the .xpis?  I have never liked the method of downloading the 
extensions via the browser and installing all in one step.  I prefer to 
download the extension, convince myself it is authentic (such as gpg), 
possibly install it locally in a test accound, and finally install it 
locally in the account(s) where I intend to use it.  At present, the 
missing ingredient in being able to do that is not having a signature to 
verify against.

So I'd much appreciate being able to get the signature w/o having to 
figure out git.  Particularly if that signature has already been created.

Thanks,
Jim

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list