Date: Mon, 3 Jul 2017 14:35:55 +0200 From: Kristian Fiskerstrand <k_f@...too.org> To: oss-security@...ts.openwall.com, Anthony Liguori <anthony@...emonkey.ws> Subject: Re: accepting new members to (linux-)distros lists On 07/02/2017 10:58 PM, Anthony Liguori wrote: > On Jul 2, 2017 1:38 PM, "Kristian Fiskerstrand"<k_f@...too.org> wrote: >> The immediate thought that springs to mind is the [lack of OpenPGP >> support in bugzilla] which makes it difficult to ensure confidentiality >> unless disabling all email warnings. > > I would just assume all email is disabled. I don't know of a tool that > does this right so for security sensitive things, I think disabling email > notification is a best practice. It wouldn't take much to have a tool that does, mainly what I outline in the previous post to ensure OpenPGP keyblock management for the individual users, and as an extension of the scope for that perhaps a [MemoryHole] implementation to ensure confidentiality / integrity verification of the RFC822 headers such as Subject. Enigmail users should already have such support read-only[Note:A] References: [MemoryHole] http://modernpgp.org/memoryhole/ https://wiki.gnupg.org/OpenPGPEmailSummit201607/MemoryHole Notes: [Note:A] to toggle it on encrypted subjects on sending you'd use extensions.enigmail.protectHeaders -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.