I looked into the install-tbb.sh script. Ague Mill: > gpg --keyring /usr/share/keyrings/debian-keyring.gpg --verify "$TBB_SIGNATURE" "$TBB_ARCHIVE"
I am not sure this is a good idea. There are a lot people in this keyring. I'd only verify against the current TBB maintainers. Not saying anyone in the Debian keyring is untrustworthy. Limiting the the number of trusted people to the actual TBB maintainers dramatically shrinks the attack surface. _______________________________________________ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev