[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Project infrastructure updates in response to security breach

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor Project infrastructure updates in response to security breach
From: Roger Dingledine <arma@xxxxxxx>
Date: Thu, 21 Jan 2010 00:32:42 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 21 Jan 2010 00:32:49 -0500
In-reply-to: <d2e731a11001202125j49ee6c9ag27c4005328b13f09@xxxxxxxxxxxxxx>
References: <20100120214344.GL25864@xxxxxxxxxxxxxx> <20100121041228.GD13840@xxxxxxxxxxxxxx> <20100121051432.GN25864@xxxxxxxxxxxxxx> <d2e731a11001202125j49ee6c9ag27c4005328b13f09@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

On Thu, Jan 21, 2010 at 12:25:08AM -0500, grarpamp wrote:
> It would be easier to just sign the git revision hashes at various intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone... git repo maintainers, devels, mirrors, users...
> can all verify the git repo via that signature. Of course the sig key material
> needs to be handled in a sanitary way, but still, it's the idea that matters.
> And git, not svn, would need to be the canonical repo committers commit
> to, etc.
> 
> Thanks for Tor.

We do sign the git repository for each release (stable and development).

Do a git clone of Tor, and then 'git tag -l'.

Saying the git hash of the release in the release notes is not a crazy
notion though.

--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

References:
- Tor Project infrastructure updates in response to security breach
  - From: Roger Dingledine
- Re: Tor Project infrastructure updates in response to security breach
  - From: Peter Thoenen
- Re: Tor Project infrastructure updates in response to security breach
  - From: Roger Dingledine
- Re: Tor Project infrastructure updates in response to security breach
  - From: grarpamp

Prev by Author: Re: Tor Project infrastructure updates in response to security breach
Next by Author: Re: exit and guard flag
Previous by thread: Re: Tor Project infrastructure updates in response to security breach
Next by thread: Re: Tor Project infrastructure updates in response to security breach
Index(es):
- Author
- Thread