[ovs-dev] [PATCHv2] Update SECURITY.md

[Andrew Kampjes]

Well if no-one wants to use it, then I'll remove the GPG parts and call it
good-enough.

On Mon Jan 12 2015 at 06:26:43 Ben Pfaff <blp at nicira.com> wrote:

> I don't know anyone who uses Thunderbird.  I never have.  I'm not going
> to switch for this.
>
> On Fri, Jan 09, 2015 at 10:26:05PM +0000, Andrew Kampjes wrote:
> > So the way that I would see this working, is the security team would have
> > upto maybe 4 people on it.
> >
> > If a researcher just sends the report in the clear to the list, all good,
> > just keep discussing on the list in plaintext.
> > If a researcher requests GPG encryption, then someone from the list would
> > send them a pubkey and the researcher would send back the details
> encrypted.
> >
> > The initial point of contact on the security team can then forward the
> > details onto the other members of the security team (there aren't many of
> > them), enigmail thunderbird extension, which I assume most people use for
> > doing GPG on email encrypt and send to multiple recipients.
> >
> > You are correct, mailing lists often break GPG if they're not configured
> > correctly. I think that the simplest approach is to move the encrypted
> > conversations off the security list when there are only 4ish members.
> > In that case, the security at ovs list is mostly just to pick up the
> initial
> > reports.
> >
> >
> > On Sat Jan 10 2015 at 05:05:42 Ben Pfaff <blp at nicira.com> wrote:
> >
> > > On Fri, Jan 09, 2015 at 10:44:20AM +1300, Andrew Kampjes wrote:
> > > > +Reporters may ask for a GPG key while initiating contact with the
> > > > +security team to deliver more sensitive reports.
> > > > +If the reporter has used GPG while disclosing, further vulnerability
> > > > +details should also be discussed using GPG.
> > >
> > > This is a nice idea but I do not see how it is practical.  How is a
> > > mailing list discussion conducted using GPG?
> > >
>