Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Feb 2016 23:03:06 +0100
From: Kristian Fiskerstrand <kristian.fiskerstrand@...ptuouscapital.com>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts about security of Linux distributor
 collaboration platforms, bugtrackers for opensource software

On 02/13/2016 02:15 PM, Hanno Böck wrote:
> On Sat, 13 Feb 2016 05:52:44 +0000 halfdog <me@...fdog.net> wrote:
> 
>> Hence really critical security material perhaps should not go to
>> such platforms, e.g. Ubuntu Launchpad, or the platform should be
>> modified to send security issues only in encrypted mails without
>> talkative title, members without mail public key registered
>> should get only message "Bug [Number]: Info changed" including
>> the HTTPS link to the issue in the platform.
> 
> This is roughly what mozilla does and I like it a lot. They have a
> bug tracker over https and you can add a PGP key. If you don't add
> a PGP key and report a security bug you won't get updates via mail 
> unencrypted.
> 

Sadly the bugzilla implementation, or rather the perl module they are
using for it, is flawed and encrypts to the first public key it
considers viable [0,1] irrespective of usage flags [2], resulting in
un-decryptable emails unless modifying the OpenPGP certificate
presented to secureEmail. I'd really like to see this fixed, but I'm
not sure if the scope is proper for a project such as GSoC. I actually
just wrote up a slight summary of such a project on [3]

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=790487
[1] https://github.com/btrott/Crypt-OpenPGP/issues/9
[2] http://tools.ietf.org/html/rfc4880#section-5.2.3.21
[3]
https://download.sumptuouscapital.com/GSoC/perl-bugzilla-openpgp-potential-gsoc-project.txt

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Aquila non capit muscas
The eagle does not hunt flies


Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ