[Sks-devel] Cease of operation: *.gnupg.pub

Discussion:

Franck Nijhof

2018-04-23 15:24:25 UTC

Hi there,

Via this message, I am announcing the cease of operations on the servers: *.gnupg.pub.

I have started this experiment some time ago and have enjoyed it pretty much and reached my goal; Getting my server in the pools most of the time, by getting the highest possible score (without HA).

The time has also come to make some confessions. Those scores my server got, are not real. I have studied the code running the pools quite a bit and discovered quite a few flaws in it. Which I successfully exploited to get a higher ranking, resulting in my pretty low budget VPS to be in multiple pools almost all the time. I am not going to expose those flaws right here. Nevertheless, I do think it is pretty severe that this system is that easy to manipulate. Even worse; I did not even get into doing extreme things since that was not necessary at all.

With all due respect, the code running the SKS pools and website are in a pretty sad state. In my humble opinion the code should be made public on a decent open source platform (e.g., GitHub), refactored and exposed as much as possible in order to gain feedback and improvements from other developers. While doing that, add some decent CI/CD as, including some static code analysis tooling.

Don't worry; the data is not being exploited at all. Nor did peering with me had any effect on your services. That was never my intention of this little project.

Thank you for learning me so much from GPG and the inner working of the SKS pools that are so important to the GnuPG community and its users.

With kind regards,

Franck Nijhof

Travis

2018-04-23 15:43:24 UTC

Permalink

Post by Franck Nijhof
Hi there,
Via this message, I am announcing the cease of operations on the servers: *.gnupg.pub.
I have started this experiment some time ago and have enjoyed it pretty much and reached my goal; Getting my server in the pools most of the time, by getting the highest possible score (without HA).
The time has also come to make some confessions. Those scores my server got, are not real. I have studied the code running the pools quite a bit and discovered quite a few flaws in it. Which I successfully exploited to get a higher ranking, resulting in my pretty low budget VPS to be in multiple pools almost all the time. I am not going to expose those flaws right here. Nevertheless, I do think it is pretty severe that this system is that easy to manipulate. Even worse; I did not even get into doing extreme things since that was not necessary at all.
With all due respect, the code running the SKS pools and website are in a pretty sad state. In my humble opinion the code should be made public on a decent open source platform (e.g., GitHub), refactored and exposed as much as possible in order to gain feedback and improvements from other developers. While doing that, add some decent CI/CD as, including some static code analysis tooling.
Don't worry; the data is not being exploited at all. Nor did peering with me had any effect on your services. That was never my intention of this little project.
Thank you for learning me so much from GPG and the inner working of the SKS pools that are so important to the GnuPG community and its users.
With kind regards,
Franck Nijhof

The code is available at:

https://bitbucket.org/skskeyserver/sks-keyserver/overview
https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=summary

It'll be great to have your contributions to help improve the project.

Travis

Franck Nijhof

2018-04-23 20:00:01 UTC

Permalink

Hi Travis,

Post by Franck Nijhof
I have studied the code running the pools quite a bit

I also have not modified any of the SKS key server code along the process. My machines always ran the original SKS key server code.
The issue is with the SKS key-server website/pool decision code, which is currently hosted by Sumptuous Capital.

Post by Franck Nijhof
In my humble opinion the code should be made public on a decent open source platform (e.g., GitHub)

I am not sure if the little Git server thingy on that Sumptuous Capital domain qualifies.
Bitbucket is a fine service by Atlassian, but let's be honest here, if you are serious about Open Source, GitHub is the place to be.
Open Source requires, issue management, pull requests and above all: contributors! Unfortunately, the latter are mostly found on GitHub.

Nevertheless, thank you for your response Travis, that is very much appreciated.

With kind regards,

Franck Nijhof

Post by Franck Nijhof

https://bitbucket.org/skskeyserver/sks-keyserver/overview
https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=summary
It'll be great to have your contributions to help improve the project.
Travis

Valentin Brandl

2018-04-24 08:20:23 UTC

Permalink

Post by Franck Nijhof
I am not sure if the little Git server thingy on that Sumptuous Capital domain qualifies.
Bitbucket is a fine service by Atlassian, but let's be honest here, if
you are serious about Open Source, GitHub is the place to be.
contributors! Unfortunately, the latter are mostly found on GitHub.
Nevertheless, thank you for your response Travis, that is very much appreciated.

While I agree with you that hosting the code on a smaller platform like bitbucket might keep some people from contributing, I'm actually glad there are projects that choose not to host their code on GitHub.
You can actually use GitHub as authentication provider for Bitbucket so you are not required to create a new account to contribute to SKS.

--
Mit freundlichen Grüßen
Valentin Brandl

Kristian Fiskerstrand

2018-04-24 08:29:05 UTC

Permalink

Post by Valentin Brandl

Post by Franck Nijhof
I am not sure if the little Git server thingy on that Sumptuous
Capital domain qualifies. Bitbucket is a fine service by Atlassian,
but let's be honest here, if you are serious about Open Source,
GitHub is the place to be. Open Source requires, issue management,
pull requests and above all: contributors! Unfortunately, the
latter are mostly found on GitHub.
Nevertheless, thank you for your response Travis, that is very much appreciated.

While I agree with you that hosting the code on a smaller platform
like bitbucket might keep some people from contributing, I'm actually
glad there are projects that choose not to host their code on
GitHub. You can actually use GitHub as authentication provider for
Bitbucket so you are not required to create a new account to
contribute to SKS.

I find the claim of relying on a proprietary service "if
you are serious about Open Source" somewhat more interesting.

In any case, github has a tendency of destroying proper commit messages
etc for the pull requests. That said, nothing stops a contributor from
using github to host their repo then doing a proper git pull request
(man git-request-pull) or just a git-format-patch.

This was described in more detail in
https://www.wired.com/2012/05/torvalds-github/ and comments starting
with at least
https://github.com/torvalds/linux/pull/17#issuecomment-5654674
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"In politics stupidity is not a handicap."
(Napoleon Bonaparte)

Franck Nijhof

2018-04-24 08:57:57 UTC

Permalink

Hi Kristian,

Thank you for your response.
I find it kinda funny and typical to see your response (and other responses as well).

I do not care which platform you are using. I was just stating that this:

https://git.sumptuouscapital.com/

Is not going to help with getting more people on board in improving things.
Sending git patches? Maybe you should consider tarballs for storing the history as well.

Secondly, GitHub destroying proper commit message? Nice, havenât heart that one before.
I work for a pretty large open source project (listed in the top 10 of GitHub) and cannot relate to that.

Look at this:

https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=shortlog

One committer? Seriously? This is what GnuPG is using these days?
Please, guys, get your head out of your *censored* and start working together.
Or, at least, create an environment that allows doing so.

My initial message was not about the hosting, but being able to manipulate the system with ease,
Somehow, that severe and alarming message is now overshadowed by a discussion on Open Source platforms.

With kind regards,

Franck Nijhof

Post by Kristian Fiskerstrand

Post by Valentin Brandl

Post by Franck Nijhof
I am not sure if the little Git server thingy on that Sumptuous
Capital domain qualifies. Bitbucket is a fine service by Atlassian,
but let's be honest here, if you are serious about Open Source,
GitHub is the place to be. Open Source requires, issue management,
pull requests and above all: contributors! Unfortunately, the
latter are mostly found on GitHub.
Nevertheless, thank you for your response Travis, that is very much appreciated.

While I agree with you that hosting the code on a smaller platform
like bitbucket might keep some people from contributing, I'm actually
glad there are projects that choose not to host their code on
GitHub. You can actually use GitHub as authentication provider for
Bitbucket so you are not required to create a new account to
contribute to SKS.

I find the claim of relying on a proprietary service "if
you are serious about Open Source" somewhat more interesting.
In any case, github has a tendency of destroying proper commit messages
etc for the pull requests. That said, nothing stops a contributor from
using github to host their repo then doing a proper git pull request
(man git-request-pull) or just a git-format-patch.
This was described in more detail in
https://www.wired.com/2012/05/torvalds-github/ and comments starting
with at least
https://github.com/torvalds/linux/pull/17#issuecomment-5654674
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"In politics stupidity is not a handicap."
(Napoleon Bonaparte)
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel

Kristian Fiskerstrand

2018-04-24 09:03:29 UTC

Permalink

Post by Franck Nijhof
My initial message was not about the hosting, but being able to
manipulate the system with ease, Somehow, that severe and alarming
message is now overshadowed by a discussion on Open Source
platforms.

It would be helpful if you described the threat model you're worried
about and actual impacts. fwiw, as far as I can see your servers were
never included in hkps nor tor ports either which reduces some privacy
angles. If you're worried about info leak there are easier ways for an
attacker to impact traffic though, but the original report reads too
much like a rant and has insufficient info to comment much.
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"We all die. The goal isn't to live forever, the goal is to create
something that will."
(Chuck Palahniuk)