Tor Project infrastructure updates in response to security breach
Sebastian Hahn
mail at sebastianhahn.net
Thu Jan 21 05:28:08 UTC 2010
On Jan 21, 2010, at 6:25 AM, grarpamp wrote:
> As I wrote someone earlier...
> It would be easier to just sign the git revision hashes at various
> intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone... git repo maintainers, devels, mirrors, users...
> can all verify the git repo via that signature. Of course the sig
> key material
> needs to be handled in a sanitary way, but still, it's the idea that
> matters.
> And git, not svn, would need to be the canonical repo committers
> commit
> to, etc.
This already happens. Clone the Tor repository, and you'll find a
signed tag named tor-0.2.2.7-alpha.
Use "git tag -v tor-0.2.2.7-alpha" to check for yourself.
Sebastian
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list