On 2/18/19 9:23 PM, Florian Pritz via arch-devops wrote:
On Mon, Feb 18, 2019 at 03:10:00PM +0100, Levente Polyak via arch-devops <arch-devops@lists.archlinux.org> wrote:
However, the primary advantage we wanted to have solved on top are managed/subscribed reporting to CERT.
Sorry, I didn't know that. This is indeed a pretty good reason and I'm much more inclined to agree that deploying this might be a good idea. If someone wants to work on this (i.e. create ansible roles), I won't oppose.
I'm sure we will be able to provide them properly, jelle would work on this as well.
Some question came to mind though: Do we actually need encryption there? Do they send important/zero-day/private issues or do they just send some form of advisory about already public problems? Or do they require a GPG key before they add you to their contact list?
Yes, it is mostly sensitive pre-notification before information is declared public. They also accept sending it in clear-text, so I guess I will make sure now that we only receive notifications to security@archlinux.org now. We can later update the contact to make them use the new GPG key, I would still prefer if they don't need to send it in clear-text :-)
Also, could you give a rough estimate of how many mails per day/month/year we are talking about and how many different senders are involved?
It fluctuates highly, but a rough overall estimate would be something around 6 mails per month with aprox. 4 unique senders (3 of which on regular or semi-regular base). cheers, Levente