Tor Project infrastructure updates in response to security breach
Jim
Jimmymac at copper.net
Fri Jan 22 03:08:20 UTC 2010
Mike Perry wrote:
> Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
> sign .xpis, but have been sloppy about posting them publicly.
<snip>
> For now, I think the right answer is "Fetch it over SSL" or "Check the
> git/gpg sig".
Could you make a point of publicly posting the .xpi gpg signatures along
with the .xpis? I have never liked the method of downloading the
extensions via the browser and installing all in one step. I prefer to
download the extension, convince myself it is authentic (such as gpg),
possibly install it locally in a test accound, and finally install it
locally in the account(s) where I intend to use it. At present, the
missing ingredient in being able to do that is not having a signature to
verify against.
So I'd much appreciate being able to get the signature w/o having to
figure out git. Particularly if that signature has already been created.
Thanks,
Jim
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list