Mailing List Archive: SpamAssassin: devel

[Bug 6223] distro signing key is unsafe

Index | Next | Previous | View Threaded

bugzilla-daemon at bugzilla

Nov 27, 2009, 1:29 AM

Post #1 of 6 (563 views)
Permalink

[Bug 6223] distro signing key is unsafe

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223

Mark Martinec <Mark.Martinec [at] ijs> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Nov 30, 2009, 1:32 PM

Post #2 of 6 (505 views)
Permalink

[Bug 6223] distro signing key is unsafe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223

Mark Thomas <markt [at] apache> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
CC| |markt [at] apache

--- Comment #2 from Mark Thomas <markt [at] apache> 2009-11-30 13:32:51 UTC ---
Restoring change originally made by Mark Martinec

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Dec 2, 2009, 11:16 AM

Post #3 of 6 (493 views)
Permalink

[Bug 6223] distro signing key is unsafe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223

Warren Togami <wtogami [at] redhat> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |duncf [at] apache,
| |felicity [at] apache,
| |parkerm [at] pobox

--- Comment #3 from Warren Togami <wtogami [at] redhat> 2009-12-02 11:16:21 UTC ---
As discussed on dev@ list, it is time to generate a new key using these
apache.org recommendations. We need someone who knows the old key passphrase
to generate the new key, then sign it with the old key. We need the key in
order to do the beta and final release of 3.3.0.

We also need to discuss expanding the group of signers to active members of the
project.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Dec 2, 2009, 11:20 AM

Post #4 of 6 (494 views)
Permalink

[Bug 6223] distro signing key is unsafe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223

Mark Thomas <markt [at] apache> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC|markt [at] apache |

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Dec 2, 2009, 2:00 PM

Post #5 of 6 (491 views)
Permalink

[Bug 6223] distro signing key is unsafe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223

Justin Mason <jm [at] jmason> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED

--- Comment #4 from Justin Mason <jm [at] jmason> 2009-12-02 14:00:24 UTC ---
done!
http://people.apache.org/~jm/KEYS.bug6223 is the new key (and the old one, to
allow verification of old releases, until we eventually kill it off).

http://www.apache.org/dist/spamassassin/KEYS has been updated, and will update
as the mirrors update.

The key uses the same passphrase as the old one did. Now to tell more people
what that is ;)

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

bugzilla-daemon at bugzilla

Dec 2, 2009, 3:36 PM

Post #6 of 6 (490 views)
Permalink

[Bug 6223] distro signing key is unsafe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6223

--- Comment #5 from Mark Martinec <Mark.Martinec [at] ijs> 2009-12-02 15:36:46 UTC ---
> http://people.apache.org/... is the new key

I think a private key should be a closely guarded secret (not freely
accessible), much more so than its password. A password (say 40 characters
times 6 bits = 240 bits) is a much weaker target than 4096 bits of a
private key.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads