Well if no-one wants to use it, then I'll remove the GPG parts and call it good-enough.
On Mon Jan 12 2015 at 06:26:43 Ben Pfaff <b...@nicira.com> wrote: > I don't know anyone who uses Thunderbird. I never have. I'm not going > to switch for this. > > On Fri, Jan 09, 2015 at 10:26:05PM +0000, Andrew Kampjes wrote: > > So the way that I would see this working, is the security team would have > > upto maybe 4 people on it. > > > > If a researcher just sends the report in the clear to the list, all good, > > just keep discussing on the list in plaintext. > > If a researcher requests GPG encryption, then someone from the list would > > send them a pubkey and the researcher would send back the details > encrypted. > > > > The initial point of contact on the security team can then forward the > > details onto the other members of the security team (there aren't many of > > them), enigmail thunderbird extension, which I assume most people use for > > doing GPG on email encrypt and send to multiple recipients. > > > > You are correct, mailing lists often break GPG if they're not configured > > correctly. I think that the simplest approach is to move the encrypted > > conversations off the security list when there are only 4ish members. > > In that case, the security@ovs list is mostly just to pick up the > initial > > reports. > > > > > > On Sat Jan 10 2015 at 05:05:42 Ben Pfaff <b...@nicira.com> wrote: > > > > > On Fri, Jan 09, 2015 at 10:44:20AM +1300, Andrew Kampjes wrote: > > > > +Reporters may ask for a GPG key while initiating contact with the > > > > +security team to deliver more sensitive reports. > > > > +If the reporter has used GPG while disclosing, further vulnerability > > > > +details should also be discussed using GPG. > > > > > > This is a nice idea but I do not see how it is practical. How is a > > > mailing list discussion conducted using GPG? > > > > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
