RPM repo data is not signed and documentation misses repo_gpgcheck
The torproject RPM repos do not provide signed repomd.xml files (repomd.xml.asc) this would allow attacker to 'hide' updates .
From the yum.conf manpage 
//repo_gpgcheck Either '1' or '0'. This tells yum whether or not it should perform a GPG signature check on the repodata. When this is set in the [main] section it sets the default for all repositories. The default is '0'.//
Once you provide repomd.xml.asc files please update .