On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote: > http://www.kamailio.org/wiki/securitypolicy > > > We encourage your feedback! > > - Is this a good thing for the project?
Yes > - Do you have any changes to the policy to suggest? Yes: >secur...@kamailio.org >This address should have a PGP key associated, used by the security officers. This is a security nightmare (a (for all purposes) shared private key). You might want to look at the Debian security announces, there the individuals key is used for signing and the list filters on valid keys from individuals. https://www.debian.org/security/faq#signature This makes it a little more difficult to check if an announcement is actually from the list: -get key for fingerprint in mail -check key with currect securitylist member But I fail to see how a pgp key for security is really important. Is there a PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest version, but there is no way to verify if this is really the latest release. No ssl, no dnssec, no signed checksums. These should be considered also. -- Telefoon: 088 0100 700 Sales: sa...@pocos.nl | Service: serviced...@pocos.nl http://www.pocos.nl/ | Croy 9c, 5653 LC Eindhoven | Kamer van Koophandel 17097024
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
