-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/01/2015 06:01 PM, Marco Zehe wrote: > Hi Kristian, > >> Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand >> <kristian.fiskerstr...@sumptuouscapital.com>: >> >> Since the author's first reaction was closing it WONTFIX I didn't >> bother, with that kind of behavior they can't possibly take >> security seriously. > > Error in judgement that has since been corrected. These things > sometimes happen, but this should definitely not be generalized. >
fair enough, but it does tell something about culture that it happens, even if corrected. >> (ii) Ditto for the issue of replacing the subkeys, as key >> rotation would not be automatically taken into consideration and >> would have to be uploaded manually to each bugzilla >> implementation using that flawed piece of software (the >> securemail extension, not bugzilla itself). > > Yes, these instances are all acting independently, there is no > exchange between totally unrelated Bugzilla instances. And there shouldn't be interaction between the various bugzilla instances, but there should be lookups to keyserver networks (preferably to a locally controlled keyserver to avoid certain information leakages, but that is another matter). In my own case I'm on some 10-15 bugzillas, with at least an annual rotation of the encryption subkey of my main key, meaning I have to manually update the key in these instances (that currently involve manual key splitting and pasting non-conforming OpenPGP data) on the bugzillas that have enabled it. Another issue with the current implementation, btw, is that there is no way to define group based keys (see gpg's - --group) , so aliases can't be used e.g. for an alias such as security@participant.invalid, this should be integrated into the already existing group restriction possibility in bugzilla), which ironically will send unencrypted email messages fondly even though something is restricted... - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Veni vidi velcro I came, I saw, I got stuck -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJU80ekAAoJEP7VAChXwav6hVkH/j4kbWapWqGC7ij1nYB6zG6d dDFHwN7A7IsrIuXH4o/CZmdeidNB3lUk2KZ2woksa0XO+QRLwz34pZjTAdHUrJVe C/vxELcBqoF6kBDBrOzKU7suT5at8rrTMVtUXviT1nZuu+SCW2TOxpWNAfuLyS9j IDryaAot9CUPrarzclQfIn7VLMnH6aCPKDk5mli8mmdf0mD52YK7hHUWhYrQtXHF egxOPnaaiYEy7P2mm3vaYboJWlezv+EIZ8Ly0czSSpVJ1ryrL/ps5tm8Z/9U2njC QTnumYKa6cHeZtRLPYLQ56TeazifgYN+3ls9IAlcCn0ydOnlu7T2hK2Vsh8AEG4= =B5DB -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
