Hi Willy,
On 30/07/2018 19:55, Willy Tarreau wrote:
On Mon, Jul 30, 2018 at 07:41:33PM +0200, Tim Düsterhus wrote:
Willy,
Am 30.07.2018 um 18:05 schrieb Willy Tarreau:
> A small update happened to the download directory, the sha256 of the
> tar.gz files are now present in addition to the (quite old) md5 ones.
> We may start to think about phasing md5 signatures out, for example
> after 1.9 is released.
I'd even like to see PGP signatures, like you already do for the git
tags (but not the Tarballs). But this is a greater change than just
updating the checksums :-)
I know and I've already thought about it. But I personally refuse to
store
my PGP key on any exposed machine. Right now in order to tag, I have to
SSH into an isolated machine, run "git pull --tags", create-release,
and
"git push --tags". Then I upload the release.
What I don't like with PGP on an exposed machine is that it reduces the
size of your 4096-bit key to the size of your passphrase (which most
often contains much less than the ~700 characters it would need to be
as large), and also increases your ability to get fooled into entering
it. Some would call me paranoid, but I don't think I am, I'm just
trying
to keep a balanced level of security, knowing that the global one is
not
better than the weakest point.
If I wanted to sign the images, it would require to find a different
release method and would significantly complicate the procedure.
I know old farts don't change, but for the two cents, newer version of
OpenSSH (>= 6.7) and GnuPG (>=2.1.1) allow you to forward GnuPG agent
over SSH with reduce capacity to reduce the attack surface you are
mentioning. More details are available on
https://wiki.gnupg.org/AgentForwarding
Cheers
--
Bertrand
