You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/10/21 23:11:08 UTC
[Bug 6223] New: distro signing key is unsafe
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Summary: distro signing key is unsafe
Product: Spamassassin
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Building & Packaging
AssignedTo: dev@spamassassin.apache.org
ReportedBy: jm@jmason.org
http://www.apache.org/dev/release-signing.html notes:
'Committers with a DSA key or an RSA key of length less than 2048 bits should
generate a new key for signing releases. The original key does not need to be
revoked yet.'
our sa-update signing key is 4096-bit RSA, but
http://www.apache.org/dist/spamassassin/KEYS uses a 1024-bit DSA key :(
http://www.apache.org/dev/key-transition.html details what we need to do.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Warren Togami <wt...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |duncf@apache.org,
| |felicity@apache.org,
| |parkerm@pobox.com
--- Comment #3 from Warren Togami <wt...@redhat.com> 2009-12-02 11:16:21 UTC ---
As discussed on dev@ list, it is time to generate a new key using these
apache.org recommendations. We need someone who knows the old key passphrase
to generate the new key, then sign it with the old key. We need the key in
order to do the beta and final release of 3.3.0.
We also need to discuss expanding the group of signers to active members of the
project.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Justin Mason <jm...@jmason.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P3
CC| |jm@jmason.org
Version|unspecified |SVN Trunk (Latest Devel
| |Version)
Target Milestone|Undefined |3.3.0
Severity|enhancement |normal
--- Comment #1 from Justin Mason <jm...@jmason.org> 2009-10-21 14:11:57 UTC ---
it would be nice to do this for 3.3.0 (but not required... yet)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|markt@apache.org |
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
CC| |markt@apache.org
--- Comment #2 from Mark Thomas <ma...@apache.org> 2009-11-30 13:32:51 UTC ---
Restoring change originally made by Mark Martinec
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
--- Comment #5 from Mark Martinec <Ma...@ijs.si> 2009-12-02 15:36:46 UTC ---
> http://people.apache.org/... is the new key
I think a private key should be a closely guarded secret (not freely
accessible), much more so than its password. A password (say 40 characters
times 6 bits = 240 bits) is a much weaker target than 4096 bits of a
private key.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6223] distro signing key is unsafe
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223
Justin Mason <jm...@jmason.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #4 from Justin Mason <jm...@jmason.org> 2009-12-02 14:00:24 UTC ---
done!
http://people.apache.org/~jm/KEYS.bug6223 is the new key (and the old one, to
allow verification of old releases, until we eventually kill it off).
http://www.apache.org/dist/spamassassin/KEYS has been updated, and will update
as the mirrors update.
The key uses the same passphrase as the old one did. Now to tell more people
what that is ;)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.