Archived
15
23
Fork
You've already forked meta
6

Security team and email account #37

Closed
opened 2022年11月17日 12:13:42 +01:00 by caesar · 22 comments
Member
Copy link
  • decide who will receive security reports
  • set up an email address for security reports (such as security@forgejo.org)
  • create an OpenPGP keypair for the above email account
  • publish the OpenPGP public key
  • share the OpenPGP private key with the security team
  • set up Keyoxide proofs for the OpenPGP public key

Discussed on Matrix, where @Gusted volunteered to handle security reports and @fnetX proposed creating a joint Codeberg / Forgejo security team.

Needed for forgejo/forgejo#9 / forgejo/forgejo#18.

- [x] decide who will receive security reports - [x] set up an email address for security reports (such as `security@forgejo.org`) - [x] create an OpenPGP keypair for the above email account - [x] publish the OpenPGP public key - [x] share the OpenPGP private key with the security team - [x] [set up Keyoxide proofs](https://codeberg.org/forgejo/meta/issues/40) for the OpenPGP public key [Discussed on Matrix](https://matrix.to/#/!qjPHwFPdxhpLkXMkyP:matrix.org/$CxU5F9MVRBcINsgEN7soxfDLHE9g48I_WP1eHay1phQ), where @Gusted volunteered to handle security reports and @fnetX proposed creating a joint Codeberg / Forgejo security team. Needed for forgejo/forgejo#9 / forgejo/forgejo#18.
Related https://codeberg.org/forgejo/website/issues/14

@Gusted the issue was assigned to you because you mentioned that you'd be willing to act on it in the chat. Feel free to unassign yourself if I overstepped.

@Gusted the issue was assigned to you because you mentioned that you'd be willing to act on it in the chat. Feel free to unassign yourself if I overstepped.

Who should be on the receiving end on security@codeberg.org:

  • At least one Forgejo contributor (e.g. myself)
  • security@codeberg.org which is a alias to the active members of Codeberg infrastructure (Correct me if I'm wrong @fnetX).

I assume I can use OVH's feature to add the email redirections for security@forgejo.org?

I will create the OpenGPG in a moment.

Who should be on the receiving end on security@codeberg.org: - At least one Forgejo contributor (e.g. myself) - security@codeberg.org which is a alias to the active members of Codeberg infrastructure (Correct me if I'm wrong @fnetX). I assume I can use [OVH's feature](https://www.ovh.com/manager/#/web/email_domain/forgejo.org/email/redirection) to add the email redirections for `security@forgejo.org`? I will create the OpenGPG in a moment.

I'm willing to be on the receiving end on security@codeberg.org

I'm willing to be on the receiving end on security@codeberg.org
Contributor
Copy link

I disclosed vulnerabilities responsibly in the past.
If you think, you could benefit from someone with experience in Frontend technologies, sign me up.

(Also disclaimer: I'm community member at WeHackPurple on invite of Tanya).

I disclosed vulnerabilities responsibly in the past. If you think, you could benefit from someone with experience in Frontend technologies, sign me up. (Also disclaimer: I'm community member at WeHackPurple on invite of Tanya).
Owner
Copy link

Sorry, can someone explain the current setup again: Will there be security@forgejo.org forwarding to codeberg, or will security@codeberg.org forward to forgejo? Or both to individuals?

Sorry, can someone explain the current setup again: Will there be security@forgejo.org forwarding to codeberg, or will security@codeberg.org forward to forgejo? Or both to individuals?
Author
Member
Copy link

I think both addresses need to exist. The forwarding setup depends on who's involved on the Forgejo and Codeberg teams I guess. Perhaps both forwarding to individuals is best, unless a dedicated inbox will be set up for one or the other? Otherwise emails will be forwarded twice.

I think both addresses need to exist. The forwarding setup depends on who's involved on the Forgejo and Codeberg teams I guess. Perhaps both forwarding to individuals is best, unless a dedicated inbox will be set up for one or the other? Otherwise emails will be forwarded twice.
Author
Member
Copy link

I'd like to advance with this in order to compete forgejo/forgejo#18.
Does anyone object to the following immediate actions?

  • create an alias security@forgejo.org
  • forward mails to those who volunteered above: @Gusted, @dachary, @Ryuno-Ki, @fnetX

We can then continue discussion and modify the forwarding targets later as necessary.

I'd like to advance with this in order to compete forgejo/forgejo#18. Does anyone object to the following immediate actions? - create an alias `security@forgejo.org` - forward mails to those who volunteered above: @Gusted, @dachary, @Ryuno-Ki, @fnetX We can then continue discussion and modify the forwarding targets later as necessary.
Author
Member
Copy link

The above steps have now been completed.

I created the @forgejo/Security team to keep track of who will receive security reports.

Additionally, @Gusted has created an OpenPGP keypair for the security team, with the following fingerprint: 311A7E4BB93EFF1F7ED5BE3C5C597051A4676E79.

I will leave this issue open to continue discussion of the longer-term strategy for forwarding and handling emails to security@forgejo.org.

[The above steps](https://codeberg.org/forgejo/meta/issues/37#issuecomment-689857) have now been completed. I created the @forgejo/Security team to keep track of who will receive security reports. Additionally, @Gusted has created an OpenPGP keypair for the security team, with the following fingerprint: `311A7E4BB93EFF1F7ED5BE3C5C597051A4676E79`. I will leave this issue open to continue discussion of the longer-term strategy for forwarding and handling emails to `security@forgejo.org`.
Author
Member
Copy link

@Gusted, I suggest you should publish the public key to keys.openpgp.org.

Additionally, as mentioned on Matrix, we should set up WKD (perhaps at least initially by delegation to keys.openpgp.org).

We could also consider setting up Keyoxide identity proofs.

@Gusted, I suggest you should publish the public key to keys.openpgp.org. Additionally, as [mentioned on Matrix](https://matrix.to/#/!qjPHwFPdxhpLkXMkyP:matrix.org/01ドルOXB5eVZaDMRLnEcAZNV-ultjfnaANLRf9QABYsMTo), we should set up WKD (perhaps at least initially by delegation to keys.openpgp.org). We could also consider setting up [Keyoxide](https://keyoxide.org/) identity proofs.

Keyoxide has nothing to do with the GPG keys right? Nonetheless a good idea.

Keyoxide has nothing to do with the GPG keys right? Nonetheless a good idea.
https://keys.openpgp.org/search?q=1B638BDF10969D627926B8D9F585D0F99E1FB56F Published the public key to keys.opengpg.org
Author
Member
Copy link

Keyoxide has nothing to do with the GPG keys right? Nonetheless a good idea.

Yes, you publish 'claims' on the GPG key (as 'annotations', which don't show up in most software), and 'proofs' on the sites you're claiming. No data is stored by Keyoxide.

See https://docs.keyoxide.org/openpgp-profiles/using-gnupg/ for more info on the GPG side.

For example, with the Gitea proof we could prove ownership of the Forgejo organization on Codeberg.
With the DNS proof we could prove ownership of the forgejo.com domain.
And likewise for a future fediverse account.

Keyoxide fetches the key from WKD if possbile and then falls back to keys.openpgp.org.

You can see my Keyoxide 'profile' for an example.

> Keyoxide has nothing to do with the GPG keys right? Nonetheless a good idea. Yes, you publish 'claims' on the GPG key (as 'annotations', which don't show up in most software), and 'proofs' on the sites you're claiming. No data is stored by Keyoxide. See https://docs.keyoxide.org/openpgp-profiles/using-gnupg/ for more info on the GPG side. For example, with [the Gitea proof](https://docs.keyoxide.org/service-providers/gitea/) we could prove ownership of the Forgejo organization on Codeberg. With [the DNS proof](https://docs.keyoxide.org/service-providers/dns/) we could prove ownership of the `forgejo.com` domain. And likewise for a future [fediverse](https://docs.keyoxide.org/service-providers/activitypub/) account. Keyoxide fetches the key from WKD if possbile and then falls back to keys.openpgp.org. You can see [my Keyoxide 'profile'](https://keyoxide.org/caesar@caesarschinas.com) for an example.

Do we also want keyoxide proofs for the other emails (e.g. contact@forgejo.org)? I will go ahead with keyoxide later today.

Do we also want keyoxide proofs for the other emails (e.g. contact@forgejo.org)? I will go ahead with keyoxide later today.
Author
Member
Copy link

Hmm, yes, we do need to consider what we want to claim on each GPG key. For example the security key doesn't need to claim the (future) Mastodon account.

I'm not 100% certain if the same URLs can be claimed from multiple GPG keys (ie, if multiple proofs can be posted in a single location). I suspect not, but I will ping @yarmo (Keyoxide maintainer) to find out.

Hmm, yes, we do need to consider what we want to claim on each GPG key. For example the security key doesn't need to claim the (future) Mastodon account. I'm not 100% certain if the same URLs can be claimed from multiple GPG keys (*ie*, if multiple proofs can be posted in a single location). I suspect not, but I will ping @yarmo (Keyoxide maintainer) to find out.

Congrats on forgejo, can't wait to see how far this goes.

yes, we do need to consider what we want to claim on each GPG key

IMHO every key should at least claim the forgejo.org domain, proving that they are indeed made by the people behind the domain.

I'm not 100% certain if the same URLs can be claimed from multiple GPG keys

Yes, this is possible! For domains, simply add multiple DNS TXT records. Or add multiple fingerprints to the one DNS TXT record, that should also work although I've never tried that.

Congrats on forgejo, can't wait to see how far this goes. > yes, we do need to consider what we want to claim on each GPG key IMHO every key should at least claim the forgejo.org domain, proving that they are indeed made by the people behind the domain. > I'm not 100% certain if the same URLs can be claimed from multiple GPG keys Yes, this is possible! For domains, simply add multiple DNS TXT records. Or add multiple fingerprints to the one DNS TXT record, that should also work although I've never tried that.

I think a dedicated semi-private Matrix room will be at least something to deploy in addition to Keyoxide verified fingerprints and email addresses.

Why?

Because many of us have already begun their migrations in earnest to use our Matrix addresses as our primary PoCs, often only occasionally checking email, or only using it for direct contact with our paying customers.

About two dozen if my colleagues now only publish their Matrix addresses exclusively everywhere, and I'm not sure, but some of them might have almost entirely retired their email - one of those individuals is actually a prominent Matrix server dev.

I think a dedicated semi-private Matrix room will be at least something to deploy in addition to Keyoxide verified fingerprints and email addresses. Why? Because many of us have already begun their migrations in earnest to use our Matrix addresses as our primary PoCs, often only occasionally checking email, or only using it for direct contact with our paying customers. About two dozen if my colleagues now only publish their Matrix addresses exclusively everywhere, and I'm not sure, but some of them might have almost entirely retired their email - one of those individuals is actually a prominent Matrix server dev.
Author
Member
Copy link

share the OpenPGP private key with the security team

This is the only thing remaining in order to close this issue. @Gusted or @dachary could you confirm if the key has been securely shared with everyone in @forgejo/Security ?

> share the OpenPGP private key with the security team This is the only thing remaining in order to close this issue. @Gusted or @dachary could you confirm if the key has been securely shared with everyone in @forgejo/Security ?

I just sent encrypted emails to @fnetX and @Ryuno-Ki, the other two members of the security team awaiting confirmation. Maybe @Gusted already sent them the key.

I just sent encrypted emails to @fnetX and @Ryuno-Ki, the other two members of the security team awaiting confirmation. Maybe @Gusted already sent them the key.

I'm currently lazy with doing GPG (on my PC) as it's giving me a lot of headache due to some problems with dirmngr service.

I'm currently *lazy* with doing GPG (on my PC) as it's giving me a lot of headache due to some problems with `dirmngr` service.
Contributor
Copy link

I just sent encrypted emails to @fnetX and @Ryuno-Ki, the other two members of the security team awaiting confirmation. Maybe @Gusted already sent them the key.

Ah, that was the content of the mail!

I haven't been able to check the content from my mobile (d'oh).
Let me get back to you.

> I just sent encrypted emails to @fnetX and @Ryuno-Ki, the other two members of the security team awaiting confirmation. Maybe @Gusted already sent them the key. Ah, that was the content of the mail! I haven't been able to check the content from my mobile (d'oh). Let me get back to you.
caesar added this to the Launch milestone 2022年12月06日 08:48:30 +01:00
Author
Member
Copy link

Closing as I believe this is completed; feel free to re-open if there is anything outstanding here.

Closing as I believe this is completed; feel free to re-open if there is anything outstanding here.
Commenting is not possible because the repository is archived.
No Branch/Tag specified
readme
No results found.
Labels
Clear labels
[Decision] Building proposal(s)
We're in a decision-making process, buiding one or more proposals to address the shared aim based on the criteria
[Decision] Gathering criteria
We're in a decision-making process, gathering criteria, considerations and needs
[Decision] Integrating concerns
We're in a decision-making process, working with a proposal, trying to integrate concerns and create modifications/support such that the proposal works for everyone
Accessibility
Relates to Accessibility (a11y) of product, project and process.
Agreement proposal
Forgejo agreement proposal, following a discussion
Communication
Relates to all channels, social media, website, blog posts.
Election
Process of appointing a person into a role or team (if choosing people just for a specific one-time task, use the Entrustment label)
Entrustment
Process of choosing/approving specific people to do a critical/high-impact one-time task (if choosing people for an ongoing role/team, use the Election label)
Governance
Relates to processes, procedures and decision-making.
Meeting
An upcoming team meeting
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
7 participants Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/meta#37
Reference in a new issue
forgejo/meta
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?