Hello Kamailians!
During our last developer meeting, we had a discussion about implementing a security policy for the project. I drafted a proposal that seemed fine with the developer team. At this point, I'm looking for your feedback.
The proposal is short and brief at this point, we'll learn as we go. Much of it is inspired by the policy of the Asterisk project. You can find it here: http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
- Do you have any changes to the policy to suggest?
At this point, we're not looking for support systems for this, or any software platform - we're focusing on getting the policy right, then we're going to look on how to implement it.
Looking forward to your responses!
Best regards, /Olle
On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to suggest?
Yes:
security@kamailio.org This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals key is used for signing and the list filters on valid keys from individuals. https://www.debian.org/security/faq#signature This makes it a little more difficult to check if an announcement is actually from the list: -get key for fingerprint in mail -check key with currect securitylist member
But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also.
On 25 Feb 2015, at 17:24, Daniel Tryba d.tryba@pocos.nl wrote:
On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to suggest?
Yes:
security@kamailio.org This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals key is used for signing and the list filters on valid keys from individuals. https://www.debian.org/security/faq#signature This makes it a little more difficult to check if an announcement is actually from the list: -get key for fingerprint in mail -check key with currect securitylist member
Thank you for the feedback!
But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also.
I would love seeing signatures on releases. I think there's a key for the RPM packages somewhere.
/O
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/25/2015 12:14 PM, Olle E. Johansson wrote:
On 25 Feb 2015, at 17:24, Daniel Tryba d.tryba@pocos.nl wrote:
On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to suggest?
Yes:
security@kamailio.org This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals key is used for signing and the list filters on valid keys from individuals. https://www.debian.org/security/faq#signature This makes it a little more difficult to check if an announcement is actually from the list: -get key for fingerprint in mail -check key with currect securitylist member
Thank you for the feedback!
But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also.
I would love seeing signatures on releases. I think there's a key for the RPM packages somewhere.
/O
+1 on all points.
Fred Posner The Palner Group, Inc. http://www.palner.com (web) +1-503-914-0999 (direct)
On Wednesday 25 February 2015 18:14:06 Olle E. Johansson wrote:
Thank you for the feedback!
BTW the Yes to is this a good thing ment: this is a really good idea to have in writing. But you still have to rely on the bugfinders to realize the impact/need to secrecy.
But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also.
I would love seeing signatures
This needs some release management, this needs to be discussed with Daniel(- Constantin) as manager of the project and with the builders of packages.
On 25 Feb 2015, at 18:56, Daniel Tryba d.tryba@pocos.nl wrote:
On Wednesday 25 February 2015 18:14:06 Olle E. Johansson wrote:
Thank you for the feedback!
BTW the Yes to is this a good thing ment: this is a really good idea to have in writing. But you still have to rely on the bugfinders to realize the impact/need to secrecy.
+1000 - this was discussed during the dev meeting.
But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also.
I would love seeing signatures
This needs some release management, this needs to be discussed with Daniel(- Constantin) as manager of the project and with the builders of packages.
Agree fully. It's currently out of scope for this document.
/O
-
Daniel Tryba -
Fred Posner -
Olle E. Johansson