Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Feb 2016 23:03:06 +0100
From: Kristian Fiskerstrand <>
Subject: Re: Thoughts about security of Linux distributor
 collaboration platforms, bugtrackers for opensource software

On 02/13/2016 02:15 PM, Hanno Böck wrote:
> On Sat, 13 Feb 2016 05:52:44 +0000 halfdog <> wrote:
>> Hence really critical security material perhaps should not go to
>> such platforms, e.g. Ubuntu Launchpad, or the platform should be
>> modified to send security issues only in encrypted mails without
>> talkative title, members without mail public key registered
>> should get only message "Bug [Number]: Info changed" including
>> the HTTPS link to the issue in the platform.
> This is roughly what mozilla does and I like it a lot. They have a
> bug tracker over https and you can add a PGP key. If you don't add
> a PGP key and report a security bug you won't get updates via mail 
> unencrypted.

Sadly the bugzilla implementation, or rather the perl module they are
using for it, is flawed and encrypts to the first public key it
considers viable [0,1] irrespective of usage flags [2], resulting in
un-decryptable emails unless modifying the OpenPGP certificate
presented to secureEmail. I'd really like to see this fixed, but I'm
not sure if the scope is proper for a project such as GSoC. I actually
just wrote up a slight summary of such a project on [3]


Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP key at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Aquila non capit muscas
The eagle does not hunt flies

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ