[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Project infrastructure updates in response to security breach




On Jan 21, 2010, at 6:25 AM, grarpamp wrote:

As I wrote someone earlier...
It would be easier to just sign the git revision hashes at various intervals.
Such as explicitly including the revision hash that each release is
made from in the release docs itself. And then signing that release.
That way everyone... git repo maintainers, devels, mirrors, users...
can all verify the git repo via that signature. Of course the sig key material needs to be handled in a sanitary way, but still, it's the idea that matters. And git, not svn, would need to be the canonical repo committers commit
to, etc.

This already happens. Clone the Tor repository, and you'll find a signed tag named tor-0.2.2.7-alpha.

Use "git tag -v tor-0.2.2.7-alpha" to check for yourself.

Sebastian
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/