[arch-devops] security at archlinux.org address
Carlos Mogas da Silva
r3pek at r3pek.org
Mon Feb 11 21:54:23 UTC 2019
Hi list!
On 11/02/2019 20:35, Jelle van der Waa wrote:
> For security at archlinux.org the Security Team wants to setup a way for
> reporters to securely mail encrypted issues to our email address.
Not actually questioning the motives but, is there really a *need* for this?
From now on, I'll assume "yes" here.
> * Cheapest Hetzner server 34 euro / month and 40 euro setup fees.
> * Hetzner auction server ~ 25 / month and no setup fees.
> * Different dedicated server hoster which allows custom usb devices.I would go with an auction server. They're reliable and cheap (had 2
personally already).
> * Nitrokey is out of our control, but we trust Hetzner already (ie. they
> could easily hook up a malicious USB/BMC device already and gain root
> privileges).
We can't be *that* paranoid (we actually can, but given the circumstances, I really don't see the need to)
> * Server dies, the Nitrokey has to be moved to the new server.
That's a bummer. Let's not forget downtime to this. How long does it take to Hetzner to move the key? *Who* is allowed to request it?
> Questions:
> * Do we backup the key? Let someone have a separate nitrokey?
I would vote for "yes" here. Let someone have a backup key that can be used it case the production one get's
lost/broken/<insert_your_catastrophic_event_here>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190211/fa83600b/attachment.sig>
More information about the arch-devops
mailing list