On Mon, Jan 16, 2006 at 01:07:22PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Mon, Jan 16, 2006 at 01:43:30AM +0100, Max Vozeler wrote:
> > Yes, it would be illusionary to assume that messages will not
> > leak from such a list in some way. While there has been an ITP for
> > a mailing list manager that transparently handles encrypting to
> > gpg pubkeys of subscribers (#316128) which could be used, there has
> > been little progress since, and even with such a solution a
> > compromised host system could leak the mails.
>
> Doesn't mailman already do that? I'm a subscribe to a list that uses
> mailman and transparently handles GPG encryption (you encrypt messages
> to the mailman address and it re-encrypts them to all subscribers). I
> could ask for details on how it's setup if anybody is interested.
I'm interested in how this works. It's been a while since I last used
mailman (after moving to enemies-of-carlotta), so I wouldn't know. But
long long ago I tried to build such a thing myself. Even if we don't
end up using it for the pre-disclosure list I'm curious :-)
> > I suppose we could archive the list in an mbox local to the
> > server and bounce (as in mutt <b>) messages to debian-audit or a
> > dedicated list when they should be disclosed. Or just publish
> > one mbox per bug with the complete discussions.
>
> That, or have some kind of pseudo header that would track a database
> (i.e. a plain text file) where headers are associated with status
> (i.e. disclosed / non-public) and have it publish headers of mails
> that have been already disclosed.
That sounds feasible. I sense one downside though: If someone
accidentally sends a message with wrong subject, information might be
disclosed prematurely. But it could default to PRIVATE if no known tag
was found, so this is probably a non-issue. OTOH, doing the disclosure
by hand has the advantage that all related messages from different
threads could be included or certain messages be excluded if they
contain information that is still considered confidential.
cheers,
Max
Received on Mon Jan 16 2006 - 13:10:11 GMT