[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] Multiple GPG keys on Savannah

From: Bob Proulx
Subject: Re: [Savannah-users] Multiple GPG keys on Savannah
Date: Fri, 2 Aug 2019 22:15:56 -0600
User-agent: Mutt/1.10.1 (2018-07-13)

Asher Gordon wrote:
> Ineiev writes:
> > The respective part of Savannah runs Trisquel 7, and it comes with
> > GnuPG 2.0 series which doesn't support ECC anyway; however, we should
> > update it before 2020, and then...
> I see. It's too bad Savannah doesn't host the GnuPG git repository,
> because then I could point out how ironic it is that Savannah hosts
> GnuPG but still uses an old version! :-)

I'll own that one.  I really push for having an alive security patch
process and using a software distribution package management system
makes that much easier than building everything from scratch.  Our
Savannah systems get patches installed usually within a day of their
being available from the distro security team.  That covers literally
millions of lines of code.  That is much more than we could review and
manage ourselves.  We rely upon the community to help.  For critical
services such as gpg the visibility and importance of a security
problem would be high.

Every time we decide that we are going to own a bit of code for the
systems then *we* must be on-the-bounce ready to react to any security
issues.  If someone finds a vulnerability in a project that we are
owning then we need to jump and react to it.  But with an entire
system it is really easy not to notice an individual project needing a
custom update.  The terrible irony would be that a security
vulnerability would get found, reported, known by the malicious, fixed
upstream, and we might still be running a stale old copy that we had
not realized needed to be updated if we are not paying attention and
get compromised.  On the other hand the daily distro package upgrade
keeps things simple.

It is possible to use containers to jump some bits of software forward
using a different distro and that associated security stream.  We do
that for a few services.  (Notably for git.)  We might do that for GPG
too.  Life and time is what keeps everything from happening all at
once.  Every time we do that it also increases the complexity of the
interactions.  But GPG features has been causing noise so we will
probably get there eventually.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]