savannah-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-dev] [bug #4663] Sign security important announcements

From: nobody
Subject: [Savannah-dev] [bug #4663] Sign security important announcements
Date: Sat, 08 Nov 2003 06:05:19 -0500
User-agent: Mozilla/5.0 (compatible; Konqueror/3; Linux 2.4.18-27.7.x.cern; i686) 
=================== BUG #4663: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4663&group_id=11

Changes by: Mathieu Roy <address@hidden>
Date: sam 08.11.2003 à 12:05 (Europe/Paris)

            What     | Removed                   | Added
---------------------------------------------------------------------------
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
Ok, so the one who makes a security announce will sign it, it should be enough.

A mail to savannah-hackers has been sent about that.



=================== BUG #4663: FULL BUG SNAPSHOT ===================


Signalé par: jas                      Projet: Savannah                      
Signalé le: ven 08.08.2003 à 00:00
Category:  Hosted Projects Web site   Severity:  1 - Enhancement            
Priority:  Low                        Resolution:  Works for me             
Assigned to:  yeupou                  Status:  Closed                       
Fixed Release:                        

Summary:  Sign security important announcements

Original Submission:  Announcements such as the SSH host key change should be 
changed, e.g. by a PGP signing key shared among the core administrators.



(If you want to get advanced, use one of the "key sharing" techniques so that 
e.g. 3 out of 5 core members must participate to generate the signed 
announcement.  This reduces the chance that someone can attack one of the 
administrators to gain the savannah announcement key. I'm not sure GnuPG 
support this yet though.)



Follow-up Comments
*******************

-------------------------------------------------------
Date: sam 08.11.2003 à 12:05        By: yeupou
Ok, so the one who makes a security announce will sign it, it should be enough.

A mail to savannah-hackers has been sent about that.

-------------------------------------------------------
Date: mar 30.09.2003 à 10:01        By: yeupou
Maybe the one who post the item should just sign with his own key?

What kind of trouble can it pose?

-------------------------------------------------------
Date: mar 02.09.2003 à 09:09        By: yeupou
Interesting, we will document this procedure.


La liste CC est vide


Il n'y a aucun fichier attaché actuellement


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4663&group_id=11

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]