El mar., 2 jul. 2019 a las 18:48, Kevin Fenzi (<kevin@xxxxxxxxx>) escribió:
Hey everyone,
As some of you may have read:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
and
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
or other media reports about vulnerabilities of the current gpg
keyserver software/network/policy.
TLDR: Someone can (and has been) flooding sks keyservers with poisoned
certs. Users that download from sks keyservers may well find gpg just
stops working, hangs, or breaks in terrible ways. The SKS software is no
longer maintained and because the policy is 'never delete anything'
there's likely no way to mitigate the attacks.
I've cc'ed nb here for his take on things, but as I read it, it might be
best to just retire the keys.fedoraproject.org service at least for now
to avoid breaking users or telling them we have a service they should
trust when they really... should not.
Thoughts?
kevin
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
I agree with you about shutting down `keys.fedoraproject.org`. Seems SKS (the software used by the keyservers)
will be not safe to use until someone (smart and who code OCaml and who understands the algorithm) can address this problem.
"... At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately...."
So +1 to turn it off.
Best,
Emiliano.
--
iex(1)> [104, 116, 116, 112, 58, 47, 47, 103, 105, 116, 104, 117, 98, 46, 99, 111, 109,
47, 101, 100, 118, 109]
47, 101, 100, 118, 109]
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx