Re: Thoughts about security of Linux distributor collaboration platforms, bugtrackers for opensource software

[Kristian Fiskerstrand <kristian.fiskerstrand () sumptuouscapital com>]

On 02/13/2016 02:15 PM, Hanno Böck wrote:
> On Sat, 13 Feb 2016 05:52:44 +0000 halfdog <me () halfdog net> wrote:
>
> > Hence really critical security material perhaps should not go to
> > such platforms, e.g. Ubuntu Launchpad, or the platform should be
> > modified to send security issues only in encrypted mails without
> > talkative title, members without mail public key registered
> > should get only message "Bug [Number]: Info changed" including
> > the HTTPS link to the issue in the platform.
>
> This is roughly what mozilla does and I like it a lot. They have a
> bug tracker over https and you can add a PGP key. If you don't add
> a PGP key and report a security bug you won't get updates via mail 
> unencrypted.

Sadly the bugzilla implementation, or rather the perl module they are
using for it, is flawed and encrypts to the first public key it
considers viable [0,1] irrespective of usage flags [2], resulting in
un-decryptable emails unless modifying the OpenPGP certificate
presented to secureEmail. I'd really like to see this fixed, but I'm
not sure if the scope is proper for a project such as GSoC. I actually
just wrote up a slight summary of such a project on [3]

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=790487
[1] https://github.com/btrott/Crypt-OpenPGP/issues/9
[2] http://tools.ietf.org/html/rfc4880#section-5.2.3.21
[3]
https://download.sumptuouscapital.com/GSoC/perl-bugzilla-openpgp-potential-gsoc-project.txt

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Aquila non capit muscas
The eagle does not hunt flies

Attachment: signature.asc
Description: OpenPGP digital signature