Opened 16 months ago

Last modified 16 months ago

#31032 new defect

Use narrowly-scoped signing keys in instructions for using torproject apt repository

Reported by: dkg Owned by: weasel
Priority: Medium Milestone:
Component: Internal Services/Service - deb.tpo Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description engages in a number of suboptimal practices. In particular, it should not encourage users to use apt-key add with an OpenPGP certificate that is not expected to certify all repositories on the machine.

See for reasonable guidance on setting up third party APT repositories.

(at the very least: place the key someplace like /usr/local/share/keyrings/tor-project-arhcive.gpg and then use a signed-by directive in the apt repository configuration)

Child Tickets

Change History (2)

comment:1 Changed 16 months ago by anarcat

Component: - Select a componentInternal Services/Service - deb.tpo
Owner: set to weasel

comment:2 Changed 16 months ago by weasel

Do you have any suggestions on how to migrate existing setups, in particular wrt to the package? I'm all for no longer shipping (or installing) /etc/apt/trusted.gpg.d/

Note: See TracTickets for help on using tickets.