You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@whimsical.apache.org by "Sam Ruby (JIRA)" <ji...@apache.org> on 2019/06/30 01:33:00 UTC

[jira] [Commented] (WHIMSY-274) Switch to hkps://keys.openpgp.org for downloading keys

    [ https://issues.apache.org/jira/browse/WHIMSY-274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16875629#comment-16875629 ] 

Sam Ruby commented on WHIMSY-274:
---------------------------------

For the secretary workbench, this is the line to update:

 

https://github.com/apache/whimsy/blob/3c5aad38815a3059a0aade5ceed024796fe9fa4b/www/secretary/workbench/views/actions/check-signature.json.rb#L9

> Switch to hkps://keys.openpgp.org for downloading keys
> ------------------------------------------------------
>
>                 Key: WHIMSY-274
>                 URL: https://issues.apache.org/jira/browse/WHIMSY-274
>             Project: Whimsy
>          Issue Type: Improvement
>          Components: SecMail
>            Reporter: Matt Sicker
>            Assignee: Craig L Russell
>            Priority: Major
>
> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
> The SKS keyserver pool is now infected with some bad certificates which can cause a denial of service attack to gpg (and likely other similar tools). It sounds like it would be prudent to either disable downloading keys or switch to a safer keyserver for now.
> Ideally, users should be able to upload their own GPG keys, and that uploader could automatically filter out these types of malicious keys. This would be a separate feature, though, but now it seems more useful.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)