-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/25/2015 12:14 PM, Olle E. Johansson wrote:
On 25 Feb 2015, at 17:24, Daniel Tryba d.tryba@pocos.nl wrote:
On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to suggest?
Yes:
security@kamailio.org This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals key is used for signing and the list filters on valid keys from individuals. https://www.debian.org/security/faq#signature This makes it a little more difficult to check if an announcement is actually from the list: -get key for fingerprint in mail -check key with currect securitylist member
Thank you for the feedback!
But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also.
I would love seeing signatures on releases. I think there's a key for the RPM packages somewhere.
/O
+1 on all points.
Fred Posner The Palner Group, Inc. http://www.palner.com (web) +1-503-914-0999 (direct)