[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Project infrastructure updates in response to security breach



On Thu, Jan 21, 2010 at 12:25:08AM -0500, grarpamp wrote:
> It would be easier to just sign the git revision hashes at various intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone... git repo maintainers, devels, mirrors, users...
> can all verify the git repo via that signature. Of course the sig key material
> needs to be handled in a sanitary way, but still, it's the idea that matters.
> And git, not svn, would need to be the canonical repo committers commit
> to, etc.
> 
> Thanks for Tor.

We do sign the git repository for each release (stable and development).

Do a git clone of Tor, and then 'git tag -l'.

Saying the git hash of the release in the release notes is not a crazy
notion though.

--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/