[Tor www-team] New download page does not provide signature links

mwnx mwnx at gmx.com
Sat Mar 30 21:44:35 UTC 2019


Hello,

The new download page [1] does not provide links to the signature
files needed to check that the provided tor browser bundles have
indeed been produced and/or approved by the tor browser team.

Such signatures are important for software in general, but it is
especially worrying when they are lacking from an inherently privacy
and security focused project like tor. In the end, I managed to find
the signature file by appending `.asc` to the bundle URL, but others
might not think of doing that, and besides, I feel like we should
promote security best practices by encouraging people to check the
signature.

While I'm at it, thank you all for your contributions to this
critical piece of FOSS software.

[1] https://www.torproject.org/download/

--
mwnx
GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726


More information about the www-team mailing list