[tor-talk] Absence of digital signature of TBB sources

Sebastian Hahn mail at sebastianhahn.net
Wed Apr 4 16:18:20 UTC 2012

On Apr 4, 2012, at 2:34 PM, andrew at torproject.is wrote:

> On Wed, Apr 04, 2012 at 10:44:10AM +0000, rransom.8774 at gmail.com wrote 0.7K bytes in 20 lines about:
> : The official TBBs are built from the sources in Git, not from the
> : tarballs.  There probably shouldn't be any release tarballs for TBB
> : source code.
> But anyone should be able to build TBB from the source tarball. At least,
> this is how I used to build everything way back in the day when I built
> all of the packages.
> I didn't use the source repo. I tagged a release, built a source tarball,
> and then built the packages from the tarball. This way our builds were
> official, but at least others could build their own packages the same
> way we did.

In theory the (signed, of course) tags in a git repo can fulfil the same
purpose. That's probably the model we should aim for here.

I'll poke Erinn again about the existing tarball's signatures, tho

More information about the tor-talk mailing list