So the way that I would see this working, is the security team would have upto maybe 4 people on it.
If a researcher just sends the report in the clear to the list, all good, just keep discussing on the list in plaintext. If a researcher requests GPG encryption, then someone from the list would send them a pubkey and the researcher would send back the details encrypted. The initial point of contact on the security team can then forward the details onto the other members of the security team (there aren't many of them), enigmail thunderbird extension, which I assume most people use for doing GPG on email encrypt and send to multiple recipients. You are correct, mailing lists often break GPG if they're not configured correctly. I think that the simplest approach is to move the encrypted conversations off the security list when there are only 4ish members. In that case, the security@ovs list is mostly just to pick up the initial reports. On Sat Jan 10 2015 at 05:05:42 Ben Pfaff <b...@nicira.com> wrote: > On Fri, Jan 09, 2015 at 10:44:20AM +1300, Andrew Kampjes wrote: > > +Reporters may ask for a GPG key while initiating contact with the > > +security team to deliver more sensitive reports. > > +If the reporter has used GPG while disclosing, further vulnerability > > +details should also be discussed using GPG. > > This is a nice idea but I do not see how it is practical. How is a > mailing list discussion conducted using GPG? > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
