[SR-Users] Kamailio Security Policy - How to handle vulnerability reports
Fred Posner
fred at palner.com
Wed Feb 25 18:34:05 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/25/2015 12:14 PM, Olle E. Johansson wrote:
>
> On 25 Feb 2015, at 17:24, Daniel Tryba <d.tryba at pocos.nl> wrote:
>
>> On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
>>> http://www.kamailio.org/wiki/securitypolicy
>>>
>>>
>>> We encourage your feedback!
>>>
>>> - Is this a good thing for the project?
>>
>> Yes
>>
>>> - Do you have any changes to the policy to suggest?
>>
>> Yes:
>>
>>> security at kamailio.org
>>> This address should have a PGP key associated, used by the security officers.
>>
>> This is a security nightmare (a (for all purposes) shared private key).
>>
>> You might want to look at the Debian security announces, there the individuals
>> key is used for signing and the list filters on valid keys from individuals.
>> https://www.debian.org/security/faq#signature
>> This makes it a little more difficult to check if an announcement is actually
>> from the list:
>> -get key for fingerprint in mail
>> -check key with currect securitylist member
> Thank you for the feedback!
>
>>
>> But I fail to see how a pgp key for security is really important. Is there a
>> PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/
>> contains the latest version, but there is no way to verify if this is really
>> the latest release. No ssl, no dnssec, no signed checksums. These should be
>> considered also.
>
> I would love seeing signatures on releases. I think there's a key for the RPM
> packages somewhere.
>
> /O
+1 on all points.
Fred Posner
The Palner Group, Inc.
http://www.palner.com (web)
+1-503-914-0999 (direct)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU7geGAAoJEIvgPjxiNb1paTQH/iE2N47s4Iz44GgA8u+1RGsp
/OsUw80soI+u+Yu+m4Zp0qpn2ZZHbDgIqA7F79s2rwo7I6XfdT/ehITCjC9KZcTs
UpPymi8+JDT6EugbQPf7dBoI6Jwu9Hxq3OcRBQtRum0JWbuEXMy5YYLZwCPjmrt/
sOkxbJ4mZcMoaY0JtfbSk1U3KrCsHenngCaRnPhbKlw4vm7GNxeOpK+cNRSqYMPN
Xzss/Q8wd5f8OyjVOzydVBCUDKRP49/9YMfbfQhQVHi4V7xjuU6tVSteLcn0hUqc
VCM6s1N/jqtlQXNumAz4kl96HqxmfL8w0sSrWmKd7ai+M2UQeU6J8kPF77pujhg=
=imCz
-----END PGP SIGNATURE-----
More information about the sr-users
mailing list