Re: Interest in ISO 27001 audit/certification for the Debian Project?

[Russ Allbery <rra@debian.org>]

Simon Josefsson <simon@josefsson.org> writes:

> I agree with you that ISO 27001 certications are often pointless, but I
> would disagree that Debian would not be improved by further
> documentation and transparency work. There is little assurance that the
> archive private key isn't leaked by unknown key holders, or it may even
> be generated on proprietary compromised devices.

I think the key point here is that this is already work that we could do
if there were volunteers willing to do it. Based on the number of years
you've been raising this as an issue and the lack of results, I am
assuming that's the primary problem: No one in a position to do the work
is volunteering to do it.

Adding ISO 27001 to the mix seems very unlikely to improve that
fundamental problem. It would add a great deal of paperwork and process
that is not directly relevant to the specific problem you are identifying,
and that would take up even more volunteer time, precisely the resource
that is already missing.

If someone is volunteering to work on documentation and transparency of
key handling procedures, they can (and probably should) look at audit
frameworks for inspiration for how to do that work, but first we have to
find the person or people who are willing to do the work. That feels like
the hard part.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>