On 2/11/19 10:48 PM, Florian Pritz via arch-devops wrote:
On Mon, Feb 11, 2019 at 09:35:36PM +0100, Jelle van der Waa <jelle@vdwaa.nl> wrote:
For security@archlinux.org the Security Team wants to setup a way for reporters to securely mail encrypted issues to our email address. To limit the bus factor we want to send those emails to multiple receivers and then handle and/or forward the information appropriately. Schleuder providers an solution to this issue by decryping the sent email and re-encrypting it to the Arch Security team members.
Any reason why we don't just follow "The Apache Way"[1] (my term) and list a few of the "core" security people on our website with gpg keys? Then the user has to fetch like 2-4 keys, but I think that's much, much easier and more robust than what is proposed here. This does not require any new keys/servers/software.
Yes, all this sounds nice and convenient if we are talking about single time reporters that search for a contact to report an issue. However, the primary advantage we wanted to have solved on top are managed/subscribed reporting to CERT. Right now its extremely in-transparent, we have "random" people mapped on their side (and it already contains an inactive dev). What we wish to have is a transparent way to manage first-level receivers on our side (f.e. in ansible) that handle and redistribute the information to the right people on our team. I don't quite like that we need to be aware of who may be registered at CERT and alter it when people resign. Also it could be a good beta test for using a GPG smartcard in the data center that may potentially be handy for future stuff :-) cheers, Levente