[tor-bugs] #12871 [RPM packaging]: RPM repo data is not signed and documentation misses repo_gpgcheck
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 15 12:05:17 UTC 2014
#12871: RPM repo data is not signed and documentation misses repo_gpgcheck
---------------------------+-------------------------
Reporter: cypherpunks | Owner: marlowe
Type: defect | Status: new
Priority: normal | Milestone:
Component: RPM packaging | Version:
Keywords: | Actual Points:
Parent ID: | Points:
---------------------------+-------------------------
The torproject RPM repos do not provide signed repomd.xml files
(repomd.xml.asc) this would allow attacker to 'hide' updates [1].
From the yum.conf manpage [2]
//repo_gpgcheck Either '1' or '0'. This tells yum whether or not it should
perform a GPG signature check on the repodata. When this is set in the
[main] section it sets the default for all repositories. The default is
'0'.//
Once you provide repomd.xml.asc files please update [3].
[1] https://lwn.net/Articles/327847/
[2] http://linux.die.net/man/5/yum.conf
[3] https://www.torproject.org/docs/rpms.html.en
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12871>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list