[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #31032 [- Select a component]: Use narrowly-scoped signing keys in instructions for using torproject apt repository



#31032: Use narrowly-scoped signing keys in instructions for using torproject apt
repository
--------------------------------------+--------------------
     Reporter:  dkg                   |      Owner:  (none)
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+--------------------
 https://2019.www.torproject.org/docs/debian.html.en engages in a number of
 suboptimal practices.  In particular, it should not encourage users to use
 `apt-key add` with an OpenPGP certificate that is not expected to certify
 all repositories on the machine.

 See https://wiki.debian.org/DebianRepository/UseThirdParty for reasonable
 guidance on setting up third party APT repositories.

 (at the very least: place the key someplace like
 `/usr/local/share/keyrings/tor-project-arhcive.gpg` and then use a
 `signed-by` directive in the apt repository configuration)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31032>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs