On Fri, Jul 5, 2019 at 11:15 AM Pierre-Yves Chibon <pingou(a)pingoured.fr> wrote:
On Tue, Jul 02, 2019 at 02:47:36PM -0700, Kevin Fenzi wrote:
> Hey everyone,
>
> As some of you may have read:
>
>
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> and
>
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
>
> or other media reports about vulnerabilities of the current gpg
> keyserver software/network/policy.
>
> TLDR: Someone can (and has been) flooding sks keyservers with poisoned
> certs. Users that download from sks keyservers may well find gpg just
> stops working, hangs, or breaks in terrible ways. The SKS software is no
> longer maintained and because the policy is 'never delete anything'
> there's likely no way to mitigate the attacks.
>
> I've cc'ed nb here for his take on things, but as I read it, it might be
> best to just retire the
keys.fedoraproject.org service at least for now
> to avoid breaking users or telling them we have a service they should
> trust when they really... should not.
Having read this, +1 to decommission this service. This is quite saddening
though :(
I'd to hear nb's opinion on this but I think we may want to announce our intent
and turn it off somewhat soon.
As someone who relies on
keys.fedoraproject.org quite a lot, I'm sad
that we have to decommission it...
If we ever brought it back, we'd probably want to configure the server
to not be part of the SKS server ring...
--
真実はいつも一つ!/ Always, there's only one truth!