[tor-dev] repo: TLS vs. GPG signed files (#12871)
Nusenu
BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES at bitmessage.ch
Thu Oct 23 22:37:16 UTC 2014
Hi Ondrej,
[I felt it is better to discuss this via email if you feel otherwise
feel free to move the discussion back to trac.]
even though it was also me requesting the use of HTTPS for the repos [1]
- and I'm glad it has been (partially) accepted and implemented I do not
follow your comment that HTTPS is "better" than repo_gpgcheck [2].
It is my opinion that even in the case of HTTPS GPG signatures provide a
security improvement since (I hope) the private GPG key used to sign the
repo is less exposed than the wildcard certificate for *.tpo.
(I filed #13553 [4] to address rogue CAs / certificate pinning for yum.)
Could you elaborate on your issue regarding repo_gpgcheck not showing
fingerprints? (It does show the gpg key fingerprint on a fc20 system
after adding repo_gpgcheck=1 and running 'yum update' [3]).
thanks for providing and maintaining the RPM repo,
Nusenu
[1] https://trac.torproject.org/projects/tor/ticket/12897
[2] https://trac.torproject.org/projects/tor/ticket/12871#comment:8
[3]
Importing GPG key 0x5AC001F1:
Userid : "torproject.org RPM signing key"
Fingerprint: 3b9e eeb9 7b1e 827b cf0a 0d96 8af5 653c 5ac0 01f1
From :
https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
Is this ok [y/N]:
[4] https://trac.torproject.org/projects/tor/ticket/13553
More information about the tor-dev
mailing list