El mar., 2 jul. 2019 a las 18:48, Kevin Fenzi (<[email protected]>) escribió:
> Hey everyone, > > As some of you may have read: > > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f > and > https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html > > or other media reports about vulnerabilities of the current gpg > keyserver software/network/policy. > > TLDR: Someone can (and has been) flooding sks keyservers with poisoned > certs. Users that download from sks keyservers may well find gpg just > stops working, hangs, or breaks in terrible ways. The SKS software is no > longer maintained and because the policy is 'never delete anything' > there's likely no way to mitigate the attacks. > > I've cc'ed nb here for his take on things, but as I read it, it might be > best to just retire the keys.fedoraproject.org service at least for now > to avoid breaking users or telling them we have a service they should > trust when they really... should not. > > Thoughts? > > kevin > > _______________________________________________ > infrastructure mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Hello Kevin, I agree with you about shutting down `keys.fedoraproject.org`. Seems SKS (the software used by the keyservers) will be not safe to use until someone (smart and who code OCaml and who understands the algorithm) can address this problem. As it says here: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations "... At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately...." So +1 to turn it off. Best, Emiliano. -- iex(1)> [104, 116, 116, 112, 58, 47, 47, 103, 105, 116, 104, 117, 98, 46, 99 , 111, 109, 47, 101, 100, 118, 109]
_______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
