Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by adrelanos@adrelanos

stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org

Quote (bold not added by me)

High-risk users should stop using the keyserver network immediately.

Originator of quote, again quoting directly:

Robert J. Hansen rjh@sixdemonbag.org. I maintain the GnuPG FAQ and unofficially hold the position of crisis communicator. This is not an official statement of the GnuPG project, but does come from someone with commit access to the GnuPG git repo.

See also: https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html

Other reasons:

  • Apart from this, keyservers have been unreliable for a long time now. This alone is a reason for at least providing an optional download of public keys.
  • While https://support.torproject.org/tbb/how-to-verify-signature/ can be viewed in Tor Browser, doing networking outside of Tor Browser (gpg --recv-keys) is non-trivial to do torified. Also for that reason it would be better if users could get both, the information how to verify and the gpg public key from the same source.
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information