Opened 7 years ago

Closed 14 months ago

#7605 closed defect (wontfix)

get the deb.torproject.org-keyring package into Debian

Reported by: proper Owned by:
Priority: Medium Milestone:
Component: Archived/Ponies Version:
Severity: Normal Keywords: archived-closed-2018-07-04
Cc: proper, weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

For first time torproject.org visitors with no knowledge about gpg and/or no trust path to The Tor Project it's difficult to verify the Tor package signing key.

The advice to download the Tor package signing key from the keyservers with a fingerprint posted from torproject.org is flawed. The first time visitor of torproject.org is already victim of a mitm this won't help. It would only help if the first time visitor won't get mitm'd at his first visit. Only further downloads would be protected.

For this reason it's not best to distribiute the Tor signing key / fingerprint through torproject.org.

Suggestion:

  1. Get the deb.torproject.org-keyring into Debian. If you can get it into the Debian keyring - even better.
  1. After 1. is done get Tor package signing key shipped by default with Debian.

This would eliminate and ease at least one step from the complicated (from user perspective) steps of gpg verification.

Getting it into Debian is strategic. Many derivatives based on Debian such as Ubuntu will include it as well.

Child Tickets

Change History (4)

comment:1 Changed 7 years ago by proper

Parent ID: #5996

comment:2 Changed 4 years ago by isis

Cc: weasel added
Component: CompanyPonies
Parent ID: #5996

The "Company" component is defunct. Changing to "Ponies" because, as I have understood it, there are $REASONS why weasel doesn't want the deb.torproject.org-keyring package to be included in Debian.

comment:3 Changed 21 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:4 Changed 14 months ago by teor

Keywords: archived-closed-2018-07-04 added
Resolution: wontfix
Status: newclosed

Close all tickets in archived components

Note: See TracTickets for help on using tickets.