Opened 8 years ago

Closed 2 years ago

#7605 closed defect (wontfix)

get the package into Debian

Reported by: proper Owned by:
Priority: Medium Milestone:
Component: Archived/Ponies Version:
Severity: Normal Keywords: archived-closed-2018-07-04
Cc: proper, weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


For first time visitors with no knowledge about gpg and/or no trust path to The Tor Project it's difficult to verify the Tor package signing key.

The advice to download the Tor package signing key from the keyservers with a fingerprint posted from is flawed. The first time visitor of is already victim of a mitm this won't help. It would only help if the first time visitor won't get mitm'd at his first visit. Only further downloads would be protected.

For this reason it's not best to distribiute the Tor signing key / fingerprint through


  1. Get the into Debian. If you can get it into the Debian keyring - even better.
  1. After 1. is done get Tor package signing key shipped by default with Debian.

This would eliminate and ease at least one step from the complicated (from user perspective) steps of gpg verification.

Getting it into Debian is strategic. Many derivatives based on Debian such as Ubuntu will include it as well.

Child Tickets

Change History (4)

comment:1 Changed 8 years ago by proper

Parent ID: #5996

comment:2 Changed 5 years ago by isis

Cc: weasel added
Component: CompanyPonies
Parent ID: #5996

The "Company" component is defunct. Changing to "Ponies" because, as I have understood it, there are $REASONS why weasel doesn't want the package to be included in Debian.

comment:3 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:4 Changed 2 years ago by teor

Keywords: archived-closed-2018-07-04 added
Resolution: wontfix
Status: newclosed

Close all tickets in archived components

Note: See TracTickets for help on using tickets.