[arch-devops] security at archlinux.org address
anthraxx at archlinux.org
Mon Feb 18 14:10:00 UTC 2019
On 2/11/19 10:48 PM, Florian Pritz via arch-devops wrote:
> On Mon, Feb 11, 2019 at 09:35:36PM +0100, Jelle van der Waa <jelle at vdwaa.nl> wrote:
>> For security at archlinux.org the Security Team wants to setup a way for
>> reporters to securely mail encrypted issues to our email address. To
>> limit the bus factor we want to send those emails to multiple receivers
>> and then handle and/or forward the information appropriately. Schleuder
>> providers an solution to this issue by decryping the sent email and
>> re-encrypting it to the Arch Security team members.
> Any reason why we don't just follow "The Apache Way" (my term) and
> list a few of the "core" security people on our website with gpg keys?
> Then the user has to fetch like 2-4 keys, but I think that's much, much
> easier and more robust than what is proposed here. This does not require
> any new keys/servers/software.
Yes, all this sounds nice and convenient if we are talking about single
time reporters that search for a contact to report an issue.
However, the primary advantage we wanted to have solved on top are
managed/subscribed reporting to CERT. Right now its extremely
in-transparent, we have "random" people mapped on their side (and it
already contains an inactive dev).
What we wish to have is a transparent way to manage first-level
receivers on our side (f.e. in ansible) that handle and redistribute the
information to the right people on our team.
I don't quite like that we need to be aware of who may be registered at
CERT and alter it when people resign.
Also it could be a good beta test for using a GPG smartcard in the data
center that may potentially be handy for future stuff :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-devops