Hi list! On 11/02/2019 20:35, Jelle van der Waa wrote:
For security@archlinux.org the Security Team wants to setup a way for reporters to securely mail encrypted issues to our email address. Not actually questioning the motives but, is there really a *need* for this? From now on, I'll assume "yes" here.
* Cheapest Hetzner server 34 euro / month and 40 euro setup fees. * Hetzner auction server ~ 25 / month and no setup fees. * Different dedicated server hoster which allows custom usb devices.I would go with an auction server. They're reliable and cheap (had 2 personally already).
* Nitrokey is out of our control, but we trust Hetzner already (ie. they could easily hook up a malicious USB/BMC device already and gain root privileges). We can't be *that* paranoid (we actually can, but given the circumstances, I really don't see the need to)
* Server dies, the Nitrokey has to be moved to the new server. That's a bummer. Let's not forget downtime to this. How long does it take to Hetzner to move the key? *Who* is allowed to request it?
Questions: * Do we backup the key? Let someone have a separate nitrokey? I would vote for "yes" here. Let someone have a backup key that can be used it case the production one get's lost/broken/<insert_your_catastrophic_event_here>