[arch-devops] security at archlinux.org address

Levente Polyak anthraxx at archlinux.org
Tue Feb 19 21:55:24 UTC 2019

On 2/18/19 9:23 PM, Florian Pritz via arch-devops wrote:
> On Mon, Feb 18, 2019 at 03:10:00PM +0100, Levente Polyak via arch-devops <arch-devops at lists.archlinux.org> wrote:
>> However, the primary advantage we wanted to have solved on top are
>> managed/subscribed reporting to CERT.
> Sorry, I didn't know that. This is indeed a pretty good reason and I'm
> much more inclined to agree that deploying this might be a good idea. If
> someone wants to work on this (i.e. create ansible roles), I won't oppose.

I'm sure we will be able to provide them properly, jelle would work on
this as well.

> Some question came to mind though: Do we actually need encryption there?
> Do they send important/zero-day/private issues or do they just send some
> form of advisory about already public problems? Or do they require a GPG
> key before they add you to their contact list?

Yes, it is mostly sensitive pre-notification before information is
declared public. They also accept sending it in clear-text, so I guess I
will make sure now that we only receive notifications to
security at archlinux.org now. We can later update the contact to make them
use the new GPG key, I would still prefer if they don't need to send it
in clear-text :-)

> Also, could you give a rough estimate of how many mails per day/month/year
> we are talking about and how many different senders are involved?

It fluctuates highly, but a rough overall estimate would be something
around 6 mails per month with aprox. 4 unique senders (3 of which on
regular or semi-regular base).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190219/4d0e303f/attachment.sig>

More information about the arch-devops mailing list