[SR-Users] Kamailio Security Policy - How to handle vulnerability reports
Olle E. Johansson
oej at edvina.net
Wed Feb 25 18:14:06 CET 2015
On 25 Feb 2015, at 17:24, Daniel Tryba <d.tryba at pocos.nl> wrote:
> On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
>> http://www.kamailio.org/wiki/securitypolicy
>>
>>
>> We encourage your feedback!
>>
>> - Is this a good thing for the project?
>
> Yes
>
>> - Do you have any changes to the policy to suggest?
>
> Yes:
>
>> security at kamailio.org
>> This address should have a PGP key associated, used by the security officers.
>
> This is a security nightmare (a (for all purposes) shared private key).
>
> You might want to look at the Debian security announces, there the individuals
> key is used for signing and the list filters on valid keys from individuals.
> https://www.debian.org/security/faq#signature
> This makes it a little more difficult to check if an announcement is actually
> from the list:
> -get key for fingerprint in mail
> -check key with currect securitylist member
Thank you for the feedback!
>
> But I fail to see how a pgp key for security is really important. Is there a
> PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/
> contains the latest version, but there is no way to verify if this is really
> the latest release. No ssl, no dnssec, no signed checksums. These should be
> considered also.
I would love seeing signatures on releases. I think there's a key for the RPM
packages somewhere.
/O
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 670 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150225/00cdaecf/attachment.sig>
More information about the sr-users
mailing list