I looked into the install-tbb.sh script.

Ague Mill:
> gpg --keyring /usr/share/keyrings/debian-keyring.gpg --verify
"$TBB_SIGNATURE" "$TBB_ARCHIVE"

I am not sure this is a good idea. There are a lot people in this
keyring. I'd only verify against the current TBB maintainers.

Not saying anyone in the Debian keyring is untrustworthy. Limiting the
the number of trusted people to the actual TBB maintainers dramatically
shrinks the attack surface.
_______________________________________________
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev

Reply via email to