25 Feb
2015
25 Feb
'15
5:14 p.m.
Hello Kamailians!
During our last developer meeting, we had a discussion about implementing a security
policy for the project. I drafted a proposal that seemed fine with the developer team. At
this point, I'm looking for your feedback.
The proposal is short and brief at this point, we'll learn as we go. Much of it is
inspired by the policy of the Asterisk project.
You can find it here:
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
- Do you have any changes to the policy to suggest?
At this point, we're not looking for support systems for this, or any software
platform - we're focusing on getting the policy right, then we're going to look on
how to implement it.
Looking forward to your responses!
Best regards,
/Olle
25 Feb
25 Feb
6:24 p.m.
New subject: Kamailio Security Policy - How to handle vulnerability reports
On Wednesday 25 February 2015 16:14:43 Olle E. Johansson wrote:
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to suggest?
Yes:
security(a)kamailio.org
This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals
key is used for signing and the list filters on valid keys from individuals.
https://www.debian.org/security/faq#signature
This makes it a little more difficult to check if an announcement is actually
from the list:
-get key for fingerprint in mail
-check key with currect securitylist member
But I fail to see how a pgp key for security is really important. Is there a
PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/
contains the latest version, but there is no way to verify if this is really
the latest release. No ssl, no dnssec, no signed checksums. These should be
considered also.
--
Telefoon: 088 0100 700
Sales: sales(a)pocos.nl | Service: servicedesk(a)pocos.nl
http://www.pocos.nl/ | Croy 9c, 5653 LC Eindhoven | Kamer van Koophandel
17097024
7:14 p.m.
New subject: Kamailio Security Policy - How to handle vulnerability reports
On 25 Feb 2015, at 17:24, Daniel Tryba <d.tryba(a)pocos.nl> wrote:
On Wednesday 25 February 2015 16:14:43 Olle E.
Johansson wrote:
Thank you for the feedback!
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to
suggest?
Yes:
security(a)kamailio.org
This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals
key is used for signing and the list filters on valid keys from individuals.
https://www.debian.org/security/faq#signature
This makes it a little more difficult to check if an announcement is actually
from the list:
-get key for fingerprint in mail
-check key with currect securitylist member
But I fail to see how a pgp key for security is really important. Is there a
PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/
contains the latest version, but there is no way to verify if this is really
the latest release. No ssl, no dnssec, no signed checksums. These should be
considered also.
I would love seeing signatures on releases. I think there's a key for the RPM
packages somewhere.
/O
7:34 p.m.
New subject: Kamailio Security Policy - How to handle vulnerability reports
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/25/2015 12:14 PM, Olle E. Johansson wrote:
On 25 Feb 2015, at 17:24, Daniel Tryba <d.tryba(a)pocos.nl> wrote:
+1 on all points.
Fred Posner
The Palner Group, Inc.
http://www.palner.com (web)
+1-503-914-0999 (direct)
On Wednesday 25 February 2015 16:14:43 Olle E.
Johansson wrote:
Thank you for the feedback!
http://www.kamailio.org/wiki/securitypolicy
We encourage your feedback!
- Is this a good thing for the project?
Yes
- Do you have any changes to the policy to
suggest?
Yes:
security(a)kamailio.org
This address should have a PGP key associated, used by the security officers.
This is a security nightmare (a (for all purposes) shared private key).
You might want to look at the Debian security announces, there the individuals
key is used for signing and the list filters on valid keys from individuals.
https://www.debian.org/security/faq#signature
This makes it a little more difficult to check if an announcement is actually
from the list:
-get key for fingerprint in mail
-check key with currect securitylist member
But I fail to see how a pgp key for security is really important. Is there a
PKI for kamailio releases? http://www.kamailio.org/pub/kamailio/latest/src/
contains the latest version, but there is no way to verify if this is really
the latest release. No ssl, no dnssec, no signed checksums. These should be
considered also.
I would love seeing signatures on releases. I think there's a key for the RPM
packages somewhere.
/O -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU7geGAAoJEIvgPjxiNb1paTQH/iE2N47s4Iz44GgA8u+1RGsp
/OsUw80soI+u+Yu+m4Zp0qpn2ZZHbDgIqA7F79s2rwo7I6XfdT/ehITCjC9KZcTs
UpPymi8+JDT6EugbQPf7dBoI6Jwu9Hxq3OcRBQtRum0JWbuEXMy5YYLZwCPjmrt/
sOkxbJ4mZcMoaY0JtfbSk1U3KrCsHenngCaRnPhbKlw4vm7GNxeOpK+cNRSqYMPN
Xzss/Q8wd5f8OyjVOzydVBCUDKRP49/9YMfbfQhQVHi4V7xjuU6tVSteLcn0hUqc
VCM6s1N/jqtlQXNumAz4kl96HqxmfL8w0sSrWmKd7ai+M2UQeU6J8kPF77pujhg=
=imCz
-----END PGP SIGNATURE-----
7:56 p.m.
New subject: Kamailio Security Policy - How to handle vulnerability reports
On Wednesday 25 February 2015 18:14:06 Olle E. Johansson wrote:
This needs some release management, this needs to be discussed with Daniel(-
Constantin) as manager of the project and with the builders of packages.
--
Telefoon: 088 0100 700
Sales: sales(a)pocos.nl | Service: servicedesk(a)pocos.nl
http://www.pocos.nl/ | Croy 9c, 5653 LC Eindhoven | Kamer van Koophandel
17097024
Thank you for the feedback!
BTW the Yes to is this a good thing ment: this is a really good idea to have
in writing. But you still have to rely on the bugfinders to realize the
impact/need to secrecy.
But I fail to
see how a pgp key for security is really important. Is
there a PKI for kamailio releases?
http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest
version, but there is no way to verify if this is really the latest
release. No ssl, no dnssec, no signed checksums. These should be
considered also.
I would love seeing signatures
10:53 p.m.
New subject: Kamailio Security Policy - How to handle vulnerability reports
On 25 Feb 2015, at 18:56, Daniel Tryba <d.tryba(a)pocos.nl> wrote:
This needs some release management, this needs to be discussed with Daniel(-
Constantin) as manager of the project and with the builders of packages.
Agree fully. It's currently out of scope for this document.
/O
On Wednesday 25 February 2015 18:14:06 Olle E.
Johansson wrote:
+1000 - this was discussed during the dev meeting.
Thank you for the feedback!
BTW the Yes to is this a good thing ment: this is a really good idea to have
in writing. But you still have to rely on the bugfinders to realize the
impact/need to secrecy. But I
fail to see how a pgp key for security is really important. Is
there a PKI for kamailio releases?
http://www.kamailio.org/pub/kamailio/latest/src/ contains the latest
version, but there is no way to verify if this is really the latest
release. No ssl, no dnssec, no signed checksums. These should be
considered also.
I would love seeing signatures
3558
days inactive
3558
days old
5 comments
3 participants
participants (3)
-
Daniel Tryba -
Fred Posner -
Olle E. Johansson