savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers-public] Group keyrings


From: Ineiev
Subject: [Savannah-hackers-public] Group keyrings
Date: Thu, 28 Jan 2021 19:38:28 +0000
User-agent: Mutt/1.5.24 (2015-08-30)

Currently, Savannah serves all GPG keys registered in accounts
of group's members as the keyring of the respective group,
like [0].

This keyring doesn't work very well as a source of signing
keys of group's releases, because the group may have many more
members than persons who actually sign releases: any member can
carelessly register new keys without thinking about the impact
on the security of released files, and team's admins have to
but monitor the aggregated keyring---I don't believe anyone actually
does (also, people may have one key for getting encrypted personal
emails and another key for signing tarballs).

In particular, the set of keys registered by members of 'emacs'
has quite a few very old keys, and one of them is dsa768; as far
as I understand, such keys aren't considered adequate these days.
if the bad ones crack such a key and replace files on a mirror
(I think it would be easier to setup a mirror and register it
on Savannah than to crack the key), they'll be able to get round
the signature verification for those who are unfortunate enough
to pick that mirror.

Probably, it would be better if each group had a public area
where its admins (rather than every member) could post only keys
used for releases, like GnuPG does [1]. I've just pushed a patch
for it to the group-keyring branch [2].

What do people think?

[0] https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=emacs
[1] https://www.gnupg.org/signature_key.html
[2] 
https://git.savannah.gnu.org/cgit/administration/savane.git/log/?h=group-keyring

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]