On Fri, Jul 5, 2019 at 11:15 AM Pierre-Yves Chibon <pingou@xxxxxxxxxxxx> wrote: > > On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote: > > Hey everyone, > > > > As some of you may have read: > > > > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f > > and > > https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html > > > > or other media reports about vulnerabilities of the current gpg > > keyserver software/network/policy. > > > > TLDR: Someone can (and has been) flooding sks keyservers with poisoned > > certs. Users that download from sks keyservers may well find gpg just > > stops working, hangs, or breaks in terrible ways. The SKS software is no > > longer maintained and because the policy is 'never delete anything' > > there's likely no way to mitigate the attacks. > > > > I've cc'ed nb here for his take on things, but as I read it, it might be > > best to just retire the keys.fedoraproject.org service at least for now > > to avoid breaking users or telling them we have a service they should > > trust when they really... should not. > > Having read this, +1 to decommission this service. This is quite saddening > though :( > > I'd to hear nb's opinion on this but I think we may want to announce our intent > and turn it off somewhat soon. > As someone who relies on keys.fedoraproject.org quite a lot, I'm sad that we have to decommission it... If we ever brought it back, we'd probably want to configure the server to not be part of the SKS server ring... -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
