Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 20 Aug 2013 14:56:00 -0400
From: Daniel Kahn Gillmor <>
CC: Kurt Seifried <>, 
 "Eric H. Christensen" <>,,
Subject: Re: PostgreSQL insecure install via yum (multiple

On 08/20/2013 12:11 AM, Kurt Seifried wrote:
> Dunno who to ask, so adding Scrye: can we make sure Google indexes the
> Fedora key server? This actually raises a good point, what are the key
> servers now? The big 3 used to be:

None of the above represent the dominant set of keyservers currently
actively gossiping on the 'net today.  Probably the best mechanism to
track actively-syncing peers is  (*not* on its own).  The various pools in the subzones are well-maintained DNS round-robins.

for more details, see:

If you want to discuss the keyserver network, the dominant keyserver
implementation (SKS) or the DNS pools, the best place to do so is:

  SKS development list <>

GnuPG's default keyserver of is now a CNAME for, fwiw.


I agree with Moritz Naumann's analysis of the weakness of the postgresql
RPM key overall -- a 5.5 year-old 1024-bit DSA key is probably not
appropriate for use any more.  If the psql RPM folks are going to do any
work to improve this, they're probably better off starting with a new,
strong key entirely.

If they want to upgrade their key but don't want to change their
documentation at all, they can contact me off-list and i'll help them
generate a 4096-bit RSA key that has the matching short keyID, since
short keyIDs are trivial to spoof these days :P


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.