Tor Project infrastructure updates in response to security breach
Roger Dingledine
arma at mit.edu
Thu Jan 21 05:32:42 UTC 2010
On Thu, Jan 21, 2010 at 12:25:08AM -0500, grarpamp wrote:
> It would be easier to just sign the git revision hashes at various intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone... git repo maintainers, devels, mirrors, users...
> can all verify the git repo via that signature. Of course the sig key material
> needs to be handled in a sanitary way, but still, it's the idea that matters.
> And git, not svn, would need to be the canonical repo committers commit
> to, etc.
>
> Thanks for Tor.
We do sign the git repository for each release (stable and development).
Do a git clone of Tor, and then 'git tag -l'.
Saying the git hash of the release in the release notes is not a crazy
notion though.
--Roger
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list