Re: Retire keys.fedoraproject.org?
On Fri, Jul 5, 2019 at 11:15 AM Pierre-Yves Chibon wrote: > > On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote: > > Hey everyone, > > > > As some of you may have read: > > > > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f > > and > > https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html > > > > or other media reports about vulnerabilities of the current gpg > > keyserver software/network/policy. > > > > TLDR: Someone can (and has been) flooding sks keyservers with poisoned > > certs. Users that download from sks keyservers may well find gpg just > > stops working, hangs, or breaks in terrible ways. The SKS software is no > > longer maintained and because the policy is 'never delete anything' > > there's likely no way to mitigate the attacks. > > > > I've cc'ed nb here for his take on things, but as I read it, it might be > > best to just retire the keys.fedoraproject.org service at least for now > > to avoid breaking users or telling them we have a service they should > > trust when they really... should not. > > Having read this, +1 to decommission this service. This is quite saddening > though :( > > I'd to hear nb's opinion on this but I think we may want to announce our > intent > and turn it off somewhat soon. > As someone who relies on keys.fedoraproject.org quite a lot, I'm sad that we have to decommission it... If we ever brought it back, we'd probably want to configure the server to not be part of the SKS server ring... -- 真実はいつも一つ!/ Always, there's only one truth! ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Retire keys.fedoraproject.org?
Clicking my gpg key on admin.fp.o ends on keys.fp.o . we should get rid of that link Julen Landa Alustiza ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Retire keys.fedoraproject.org?
On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote: > Hey everyone, > > As some of you may have read: > > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f > and > https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html > > or other media reports about vulnerabilities of the current gpg > keyserver software/network/policy. > > TLDR: Someone can (and has been) flooding sks keyservers with poisoned > certs. Users that download from sks keyservers may well find gpg just > stops working, hangs, or breaks in terrible ways. The SKS software is no > longer maintained and because the policy is 'never delete anything' > there's likely no way to mitigate the attacks. > > I've cc'ed nb here for his take on things, but as I read it, it might be > best to just retire the keys.fedoraproject.org service at least for now > to avoid breaking users or telling them we have a service they should > trust when they really... should not. Having read this, +1 to decommission this service. This is quite saddening though :( I'd to hear nb's opinion on this but I think we may want to announce our intent and turn it off somewhat soon. Pierre signature.asc Description: PGP signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Retire keys.fedoraproject.org?
+1 to turning it off as well. I hope it can be fixed or an alternative created, but best to not have Fedora users experience any issues due to the issue. Charles signature.asc Description: This is a digitally signed message part ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Re: Retire keys.fedoraproject.org?
El mar., 2 jul. 2019 a las 18:48, Kevin Fenzi () escribió: > Hey everyone, > > As some of you may have read: > > https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f > and > https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html > > or other media reports about vulnerabilities of the current gpg > keyserver software/network/policy. > > TLDR: Someone can (and has been) flooding sks keyservers with poisoned > certs. Users that download from sks keyservers may well find gpg just > stops working, hangs, or breaks in terrible ways. The SKS software is no > longer maintained and because the policy is 'never delete anything' > there's likely no way to mitigate the attacks. > > I've cc'ed nb here for his take on things, but as I read it, it might be > best to just retire the keys.fedoraproject.org service at least for now > to avoid breaking users or telling them we have a service they should > trust when they really... should not. > > Thoughts? > > kevin > > ___ > infrastructure mailing list -- infrastructure@lists.fedoraproject.org > To unsubscribe send an email to > infrastructure-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org > Hello Kevin, I agree with you about shutting down `keys.fedoraproject.org`. Seems SKS (the software used by the keyservers) will be not safe to use until someone (smart and who code OCaml and who understands the algorithm) can address this problem. As it says here: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations "... At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately" So +1 to turn it off. Best, Emiliano. -- iex(1)> [104, 116, 116, 112, 58, 47, 47, 103, 105, 116, 104, 117, 98, 46, 99 , 111, 109, 47, 101, 100, 118, 109] ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Retire keys.fedoraproject.org?
Hey everyone, As some of you may have read: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f and https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html or other media reports about vulnerabilities of the current gpg keyserver software/network/policy. TLDR: Someone can (and has been) flooding sks keyservers with poisoned certs. Users that download from sks keyservers may well find gpg just stops working, hangs, or breaks in terrible ways. The SKS software is no longer maintained and because the policy is 'never delete anything' there's likely no way to mitigate the attacks. I've cc'ed nb here for his take on things, but as I read it, it might be best to just retire the keys.fedoraproject.org service at least for now to avoid breaking users or telling them we have a service they should trust when they really... should not. Thoughts? kevin signature.asc Description: OpenPGP digital signature ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org