On Fri, Sep 26, 2025 at 8:57 AM Christian Ehrhardt <[email protected]> wrote: > > On Thu, Sep 25, 2025 at 1:33 PM Robie Basak <[email protected]> wrote: > > > > Without having gone into the security specfics in detail, this looks > > great! I very much appreciate your initiative here - I think a set of > > recommendations like this will make a difference, and I'm in favour of > > the general direction of setting security guidelines and perhaps even > > enforcing some of them in future to keep Ubuntu users safe. > > Thanks for the general support! > > > Some things that might be worth considering and appropriate text adding: > > > > 1) Who has control of the hardware key, knowledge of the passphrase and > > control of the systems it is plugged into. > > totally reasonable - will add that > > > 2) Expectations of the above. The Ubuntu developer as an individual is > > the only person authorised by Ubuntu and is expected to have exclusive > > control of the key. If exclusive control is compromised then the key > > should be revoked. > > same - will add that > > > 3) The importance of being in control of what the key is used to sign > > (eg. an attack vector is that you activated your key to sign something > > you thought was innocent but is actually controlled by an adversary).
I've added that, but in a softer tone to avoid ruling out people/setups too easily while still keeping everyone vigilant about the potential risks. > > 4) What actions to take if a key or signing compromise is suspected. went to "known, but missing for now" > > No need to block the PR on this but if not done now then perhaps these > > could be added to an issue tracker somewhere to do later. I've updated the PR [1] with content based on the discussions here and further feedback that I've got. - Add a section about control and ownership (thanks for the suggestions Robie) - Refer to the glossary for signing keys - List known missing aspects visible to the reader - Acknowledge the lack of requirements for alternatives (from the discussion between Spyros and Aaron) - Fix time-time: associate -> associated [1]: https://github.com/ubuntu/ubuntu-project-docs/pull/182#issuecomment-3337587732 > I'll certainly add something for #1 and #2 today, > for #3 and #4 I'll try but probably fall back to add a "known next > steps" sections > so things like these are not just missing but acknowledged to be needed yet > for now undefined. > > That will help to not forget about these aspects and establish that we > want to have them defined at some point. > > > Robie > > > > -- > Christian Ehrhardt > Director of Engineering, Ubuntu Server > Canonical Ltd -- Christian Ehrhardt Director of Engineering, Ubuntu Server Canonical Ltd -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
