[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames



#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
 Reporter:  rransom                   |       Owner:  rransom     
     Type:  defect                    |      Status:  needs_review
 Priority:  critical                  |   Milestone:              
Component:  Tor bundles/installation  |     Version:              
 Keywords:                            |      Parent:              
--------------------------------------+-------------------------------------

Comment(by Sebastian):

 I think if we changed the way we do signatures we will just confuse most
 of those users that are already confused about signatures even more,
 without actually offering much better protection. For the careful gpg
 user, the date of the signature should be a good indication that something
 is wrong.

 That said, if we want to improve the situation, the script should probably
 add a date field, so that people can get suspicious when the date is off
 (note that they could already do that with the plain gpg signatures, but
 looking into many different places makes things just more complicated).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs