Hey everyone, As some of you may have read: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f and https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html or other media reports about vulnerabilities of the current gpg keyserver software/network/policy. TLDR: Someone can (and has been) flooding sks keyservers with poisoned certs. Users that download from sks keyservers may well find gpg just stops working, hangs, or breaks in terrible ways. The SKS software is no longer maintained and because the policy is 'never delete anything' there's likely no way to mitigate the attacks. I've cc'ed nb here for his take on things, but as I read it, it might be best to just retire the keys.fedoraproject.org service at least for now to avoid breaking users or telling them we have a service they should trust when they really... should not. Thoughts? kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
