[tor-bugs] #31032 [- Select a component]: Use narrowly-scoped signing keys in instructions for using torproject apt repository
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 28 20:54:22 UTC 2019
#31032: Use narrowly-scoped signing keys in instructions for using torproject apt
repository
--------------------------------------+--------------------
Reporter: dkg | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
https://2019.www.torproject.org/docs/debian.html.en engages in a number of
suboptimal practices. In particular, it should not encourage users to use
`apt-key add` with an OpenPGP certificate that is not expected to certify
all repositories on the machine.
See https://wiki.debian.org/DebianRepository/UseThirdParty for reasonable
guidance on setting up third party APT repositories.
(at the very least: place the key someplace like
`/usr/local/share/keyrings/tor-project-arhcive.gpg` and then use a
`signed-by` directive in the apt repository configuration)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31032>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list