-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/25/2015 12:14 PM, Olle E. Johansson wrote: > > On 25 Feb 2015, at 17:24, Daniel Tryba <d.tr...@pocos.nl> wrote: > >> On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote: >>> http://www.kamailio.org/wiki/securitypolicy >>> >>> >>> We encourage your feedback! >>> >>> - Is this a good thing for the project? >> >> Yes >> >>> - Do you have any changes to the policy to suggest? >> >> Yes: >> >>> secur...@kamailio.org >>> This address should have a PGP key associated, used by the security >>> officers. >> >> This is a security nightmare (a (for all purposes) shared private key). >> >> You might want to look at the Debian security announces, there the >> individuals >> key is used for signing and the list filters on valid keys from individuals. >> https://www.debian.org/security/faq#signature >> This makes it a little more difficult to check if an announcement is actually >> from the list: >> -get key for fingerprint in mail >> -check key with currect securitylist member > Thank you for the feedback! > >> >> But I fail to see how a pgp key for security is really important. Is there a >> PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/ >> contains the latest version, but there is no way to verify if this is really >> the latest release. No ssl, no dnssec, no signed checksums. These should be >> considered also. > > I would love seeing signatures on releases. I think there's a key for the RPM > packages somewhere. > > /O
+1 on all points. Fred Posner The Palner Group, Inc. http://www.palner.com (web) +1-503-914-0999 (direct) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU7geGAAoJEIvgPjxiNb1paTQH/iE2N47s4Iz44GgA8u+1RGsp /OsUw80soI+u+Yu+m4Zp0qpn2ZZHbDgIqA7F79s2rwo7I6XfdT/ehITCjC9KZcTs UpPymi8+JDT6EugbQPf7dBoI6Jwu9Hxq3OcRBQtRum0JWbuEXMy5YYLZwCPjmrt/ sOkxbJ4mZcMoaY0JtfbSk1U3KrCsHenngCaRnPhbKlw4vm7GNxeOpK+cNRSqYMPN Xzss/Q8wd5f8OyjVOzydVBCUDKRP49/9YMfbfQhQVHi4V7xjuU6tVSteLcn0hUqc VCM6s1N/jqtlQXNumAz4kl96HqxmfL8w0sSrWmKd7ai+M2UQeU6J8kPF77pujhg= =imCz -----END PGP SIGNATURE----- _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
