[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Project infrastructure updates in response to security breach

Mike Perry wrote:
Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
sign .xpis, but have been sloppy about posting them publicly.


For now, I think the right answer is "Fetch it over SSL" or "Check the
git/gpg sig".

Could you make a point of publicly posting the .xpi gpg signatures along with the .xpis? I have never liked the method of downloading the extensions via the browser and installing all in one step. I prefer to download the extension, convince myself it is authentic (such as gpg), possibly install it locally in a test accound, and finally install it locally in the account(s) where I intend to use it. At present, the missing ingredient in being able to do that is not having a signature to verify against.

So I'd much appreciate being able to get the signature w/o having to figure out git. Particularly if that signature has already been created.


To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/