Opened 6 months ago

Last modified 6 months ago

#31032 new defect

Use narrowly-scoped signing keys in instructions for using torproject apt repository

Reported by: dkg Owned by: weasel
Priority: Medium Milestone:
Component: Internal Services/Service - deb.tpo Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://2019.www.torproject.org/docs/debian.html.en engages in a number of suboptimal practices. In particular, it should not encourage users to use apt-key add with an OpenPGP certificate that is not expected to certify all repositories on the machine.

See https://wiki.debian.org/DebianRepository/UseThirdParty for reasonable guidance on setting up third party APT repositories.

(at the very least: place the key someplace like /usr/local/share/keyrings/tor-project-arhcive.gpg and then use a signed-by directive in the apt repository configuration)

Child Tickets

Change History (2)

comment:1 Changed 6 months ago by anarcat

Component: - Select a componentInternal Services/Service - deb.tpo
Owner: set to weasel

comment:2 Changed 6 months ago by weasel

Do you have any suggestions on how to migrate existing setups, in particular wrt to the deb.torproject.org-keyring package? I'm all for no longer shipping (or installing) /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg.

Note: See TracTickets for help on using tickets.