Recent gnupg keyserver DOS attack

Post your bugs here.
User avatar
Arjen Balfoort
Site Admin
Posts: 9286
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Recent gnupg keyserver DOS attack

Postby Arjen Balfoort » 18 Jul 2019 06:18

Thanks, Ilu. That was a good read. I do not pretend to have understood everything but I understand what is most important: PGP is really unsafe and for most use cases there is a modern, secure alternatve.

I will check out Signify if it can be used in conjunction with reprepro.

Unfortunately there is no way to sign our ISOs for download: age is not done yet.

[EDIT]
signify is orphaned in Debian: https://bugs.debian.org/cgi-bin/bugrepo ... bug=738884
but signify-openbsd is available which contains signify-openbsd with the same parameter usage as signify.


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2499
Joined: 09 Oct 2013 12:45

Re: Recent gnupg keyserver DOS attack

Postby ilu » 18 Jul 2019 13:28

Our crypto guy says that signify, as it is, is not usable under Linux - other people have to look into that first. My posting was meant as "these arguments are good to know" - not as "do something about it". Let's just follow debian and wait for cryptographers to figure out what to do.
SiGnify ... ist auf Grund der Source-Inkompatibilität nur mit nem separatem Porting-Layer für BSD-Software unter Linux lauffähig. Dann brechen sie noch mit jedem üblichen Key-Format (X.509/PKCS#8 hätte ich ja noch verstanden, aber die haben da plain Ed25519 drin, was ein Campat-Hassle ohne Ende ist).

kurotsugi
Posts: 2230
Joined: 09 Jan 2014 00:17

Re: Recent gnupg keyserver DOS attack

Postby kurotsugi » 22 Jul 2019 15:29

the problems seems have been mitigated on testing. we can remove our modifications from the system (is there any?). all seems good at least for now

User avatar
ilu
Posts: 2499
Joined: 09 Oct 2013 12:45

Re: Recent gnupg keyserver DOS attack

Postby ilu » 23 Jul 2019 01:48

Do you have a source?

Fixes on testing won't help on stable. I think the fixes talked about here https://lists.debian.org/debian-release ... 00285.html were included in stable. But these cannot change the conf on already installed systems so the alert needs to stay. And I prefer our setting to not use ANY keyserver. If a users even knows about keyservers they can still set them up manually.

User avatar
ilu
Posts: 2499
Joined: 09 Oct 2013 12:45

Re: Recent gnupg keyserver DOS attack

Postby ilu » 23 Jul 2019 02:59

@Arjen: minisign https://jedisct1.github.io/minisign/ would be the tool to use on debian, but it's not there yet, see rfp https://bugs.debian.org/cgi-bin/bugrepo ... bug=869169. I can't find anything about using it with reprepro or with any repositories though.

kurotsugi
Posts: 2230
Joined: 09 Jan 2014 00:17

Re: Recent gnupg keyserver DOS attack

Postby kurotsugi » 23 Jul 2019 04:23

our repo management and lot of more stuffs still depends on pgp. due to it's nature a keyserver is required for pgp management. people like you and me won't need a keyserver but lot of devs works need keyserver. personally I think these stuffs is too much for us. it's better to leave the decisions to capable devs on debian

btw, no. I don't mean that we should remove this notice. I didn't follow this thread closely so I just notify that our modifications (if any) is not needed anymore since upstream have took care of it

User avatar
ilu
Posts: 2499
Joined: 09 Oct 2013 12:45

Re: Recent gnupg keyserver DOS attack

Postby ilu » 23 Jul 2019 05:37

The modifications are for user settings. Repo keys have nothing to do with gnupg user settings (apt handles them independently). Developers who use pgp should really be able to set up their gnupg with a keyserver of their choice without our help. Repos will move away from pgp in due time and average users should avoid it.

But maybe installing gnupg results in sane defaults now? I can't find further information. That's why I asked for your source.


Return to “Bug Control”

Who is online

Users browsing this forum: No registered users and 2 guests