[tor-talk] how many verify their tbb ?
mick
mbm at rlogin.net
Mon Aug 4 10:50:57 UTC 2014
On Sun, 03 Aug 2014 14:26:41 +0000
Patrick Schleizer <patrick-mailinglists at whonix.org> allegedly wrote:
>
> As a maintainer of Whonix I like to note, that I am surprised, that
> there are any Whonix signature downloads from Whonix mirrors at all.
> We directly link Whonix signatures to whonix.org on our download
> page. [1] We don't have a link to signatures pointing to mirrors
> anywhere.
Patrick
The mirrors are (of necessity) public servers. They contain copies of
the signature files. Inevitably those files will be retrieved at
times. It is possible that some of those retrievals are by search
engines or other 'bots trawling the web. But it is equally possible
that some of the retrievals will have been made by real people -
possibly people who simply wanted to get and compare signatures from
different sources.
The only certain way to ensure that there are no signature downloads
from the mirrors (and this applies to tails as well) is to remove
those signatures from the rsynch masters. If they ain't there, they
can't be copied to the mirrors.
Best
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
http://baldric.net
---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140804/6b54b0b9/attachment.sig>
More information about the tor-talk
mailing list