Russ Allbery <rra@debian.org> writes: > Simon Josefsson <simon@josefsson.org> writes: > >> I agree with you that ISO 27001 certications are often pointless, but I >> would disagree that Debian would not be improved by further >> documentation and transparency work. There is little assurance that the >> archive private key isn't leaked by unknown key holders, or it may even >> be generated on proprietary compromised devices. > > I think the key point here is that this is already work that we could do > if there were volunteers willing to do it. Based on the number of years > you've been raising this as an issue and the lack of results, I am > assuming that's the primary problem: No one in a position to do the work > is volunteering to do it. > > Adding ISO 27001 to the mix seems very unlikely to improve that > fundamental problem. It would add a great deal of paperwork and process > that is not directly relevant to the specific problem you are identifying, > and that would take up even more volunteer time, precisely the resource > that is already missing. > > If someone is volunteering to work on documentation and transparency of > key handling procedures, they can (and probably should) look at audit > frameworks for inspiration for how to do that work, but first we have to > find the person or people who are willing to do the work. That feels like > the hard part. I think that is not the only possible scenario -- another one that I find at least reasonable, if not more likely, is that anyone who considered volunteering to implement this soon realized that there are fundamental aspects that would need to be addressed first, raised those concerns, did not find sufficient support or interest to address or talk about the concerns, and started to work on improving those issues elsewhere (if they at all cared to pursue it further, demotivation is a factor too). That pattern applies to Ubuntu, although I guess ISO 27001 on its own may not have been the biggest motivation there. Still, the end result is that Ubuntu has ISO 27k and Debian hasn't. (I guess the reference to "you" is not directly meant to me, but someone else? I don't recall bringing up ISO 27k before and personally I find such certifications, like FIPS, generally more harmful than useful. Some parts of ISO 27k bring up important topics, but you can become ISO 27k certified without really adressing the problems, and some of the topics they bring up may imply worse technical solutions.) /Simon
Attachment:
signature.asc
Description: PGP signature