[SR-Users] Kamailio Security Policy - How to handle vulnerability reports
Daniel Tryba
d.tryba at pocos.nl
Wed Feb 25 17:24:48 CET 2015
On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
> http://www.kamailio.org/wiki/securitypolicy
>
>
> We encourage your feedback!
>
> - Is this a good thing for the project?
Yes
> - Do you have any changes to the policy to suggest?
Yes:
>security at kamailio.org
>This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals
key is used for signing and the list filters on valid keys from individuals.
https://www.debian.org/security/faq#signature
This makes it a little more difficult to check if an announcement is actually
from the list:
-get key for fingerprint in mail
-check key with currect securitylist member
But I fail to see how a pgp key for security is really important. Is there a
PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/
contains the latest version, but there is no way to verify if this is really
the latest release. No ssl, no dnssec, no signed checksums. These should be
considered also.
--
Telefoon: 088 0100 700
Sales: sales at pocos.nl | Service: servicedesk at pocos.nl
http://www.pocos.nl/ | Croy 9c, 5653 LC Eindhoven | Kamer van Koophandel
17097024
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150225/a981ee75/attachment.sig>
More information about the sr-users
mailing list