Hi, all, This mail is intended for brainstorming some ideas before GUADEC. It's not to decide anything and set it in stone.
I've been preparing my GUADEC talk about crypto infrastructure for newbies, and I've started to realize that it may be useful for gnome.org to have an "official", publicly-documented crypto infrastructure of its own. Here is a set of somewhat related ideas: * GNOME releases tarballs of source code. Maintainers regularly post checksums of their tarballs along with their announcement emails. Until now, I'm not sure if we have had the need to *guarantee* that a particular release of code is authentic. For example, we don't actually crypto-sign tarballs like the Tor project would --- in their case, whoever downloads the code *really* wants to ensure that it hasn't been tampered with. Again, I'm not sure if we have such kind of security-conscious code, but maybe we could start crypto-signing our tarballs. Which brings me to... * Identity in the GNOME project. We have keysigning parties at GUADEC. Some maintainers actually sign their tarball announcement emails, so if you have their GPG public key (and if they posted a checksum of their tarball in their email), you can actually verify whether a tarball is pristine. I doubt that anyone actually does this sort of checking ;) * If we ever get an infrastructure to publish compiled "apps", what with all the sandboxing stuff being worked on, will we need harder guarantees about authentic binaries and code? * Would it be useful / trustworthy to have a gnome.org-specific GPG keyserver? One that cannot be poisoned like public keyservers? (I don't really know how to do this, but if only people with SSH keys can push to git.gnome.org, maybe we can do something similar for a keyserver...). * Would app authors need certificates? Should gnome.org be able to issue certificates (and should we ship our Certificate Authority information somewhere)? * Can we have some sort of synergy with keybase.io? * There is a public key in the keyservers for secr...@gnome.org, but as far as I can tell it has no signatures. How would people verify it? (AFAICT it was announced here: https://mail.gnome.org/archives/infrastructure-announce/2013-November/msg00001.html) * Should we have a web page linking to GNOME's important public keys and such? (The ones you would use to encrypt reports of security bugs and such.) * (I know Debian has well-documented procedures for signing things and such; I'm sure we can copy those procedures for some things.) Again, these are just questions or ideas for now. Any input is appreciated. All the (conflicting) information about crypto-related matters out there on the web is giving me the biggest case of impostor syndrome ever :) Federico _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/desktop-devel-list