On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote: > Hey everyone, > > As some of you may have read: > > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f > and > https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html > > or other media reports about vulnerabilities of the current gpg > keyserver software/network/policy. > > TLDR: Someone can (and has been) flooding sks keyservers with poisoned > certs. Users that download from sks keyservers may well find gpg just > stops working, hangs, or breaks in terrible ways. The SKS software is no > longer maintained and because the policy is 'never delete anything' > there's likely no way to mitigate the attacks. > > I've cc'ed nb here for his take on things, but as I read it, it might be > best to just retire the keys.fedoraproject.org service at least for now > to avoid breaking users or telling them we have a service they should > trust when they really... should not. Having read this, +1 to decommission this service. This is quite saddening though :( I'd to hear nb's opinion on this but I think we may want to announce our intent and turn it off somewhat soon. Pierre
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
