[arch-devops] security at archlinux.org address

Christian Rebischke Chris.Rebischke at archlinux.org
Tue Feb 12 19:24:09 UTC 2019 

On Mon, Feb 11, 2019 at 09:35:36PM +0100, Jelle van der Waa wrote:
> For security at archlinux.org the Security Team wants to setup a way for
> reporters to securely mail encrypted issues to our email address. To
> limit the bus factor we want to send those emails to multiple receivers
> and then handle and/or forward the information appropriately. Schleuder
> providers an solution to this issue by decryping the sent email and
> re-encrypting it to the Arch Security team members.
> 
> Since this requires a GPG key to be on the server, we want to implement
> this securely and hook up a nitrokey pro 2 to a separate Hetzner
> dedicated server. This server serves the sole purpose of hosting the
> security mail address. Installing by Hetzner costs 18 euro’s (excl.
> VAT).
> 
> Options:
> 
> * Cheapest Hetzner server 34 euro / month and 40 euro setup fees.
> * Hetzner auction server ~ 25 / month and no setup fees.
> * Different dedicated server hoster which allows custom usb devices.
> 
> Benefits:
> 
> * Key can’t be recovered by an attacker who has access to the server.
> * Receivers don’t need a shared private key but only their own.
> * Separate server so no other software can influence/impact.  Downsides:
> 
> Downsides:
> 
> * Nitrokey is out of our control, but we trust Hetzner already (ie. they
>   could easily hook up a malicious USB/BMC device already and gain root
>   privileges).
> * Server dies, the Nitrokey has to be moved to the new server.
> 
> Questions:
> 
> * How to update the key, handle key expiration?
> * Do we backup the key? Let someone have a separate nitrokey?  
> 
> Setup:
> * Levente (anthraxx) volunteered to aquire, setup key (+revocation) and
>   get it to Hetzner.
> 
> -- 
> Jelle van der Waa


Seems like I've missed a discussion on IRC. Please don't read my next
lines as stab into your back.

First of all I don't understand the problem you want to solve with this
solution. In the past we had people who monitor the
security at archlinux.org address and I had always the feeling that they
did their job good and had no problem with doing it. I always thought
that there are not so much mails with security at archlinux.org as
recipient. So either my observation was wrong or things has changed..

Let's say the workload has increased. Then I am fully with you and I
can understand your problem. On the technical aspects I like your idea,
but I can understand Florians point of view as well. Maybe the problem
could be already solved via creating a security landing page with a few
developer mail addresses and their GPG keys.

But here is another argument for the server:

We could use it as isolated machine for automatically signing ISO images
and Arch Linux images.


chris / shibumi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190212/5833a2fb/attachment.sig>

More information about the arch-devops mailing list