[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #5260 [Company]: Make ldap account for marlowe
#5260: Make ldap account for marlowe
---------------------+------------------------------------------------------
Reporter: marlowe | Owner: weasel
Type: task | Status: new
Priority: normal | Milestone:
Component: Company | Version:
Keywords: | Parent:
Points: | Actualpoints:
---------------------+------------------------------------------------------
Comment(by mikeperry):
marlowe: I've developed a magical ritual that should obviate the need to
get your papers inspected and your orifices sniffed by concentric rings of
unwashed beardos:
1. Post a url here to something signed with your key (preferably wherever
you are currently hosting your rpm prototypes).
2. Verify your own signature yourself from two or more different tor
circuits, to ensure you weren't MITM'd on your end.
3. We'll perform the same verification on our side, to ensure we see the
same key.
All we really care about in terms of key authentication is that whoever is
building rpms is the same person as who was volunteering to do so. We
don't really care about your name or your government-issued ID. Or at
least we shouldn't...
However, for my own peace of mind, it would be nice if we could find some
way to authenticate that the rpms you produce actually come directly from
the git sources. Ie: someone else can take the .spec file, the sources
from git, and the patch set and build an identical rpm on a clean VM with
the same sha1sum. See #3688.
I'm not sure how we can do this and also have signed rpms, though.. But
maybe there is a way to strip the signature from an RPM and then take the
sha1sum?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5260#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs