bewees | Hi, how secure does Ubuntu safe their infrastructure keys and is Ubuntu obligated to share them with governmental juridictions? For example do admins use hardware key storages such as Nitrokey and does Ubuntu have to work with the government like Google, Microsoft and Apple have to? Ubuntu being a britain company I think it has to comply with british juridictions and share their keys if demanded | 15:18 |
---|---|---|
bewees | British* | 15:22 |
rbasak | bewees: I'm not sure you're going to get an answer to that by asking here. I don't speak for Canonical or Ubuntu in this regard, but of course Canonical is obligated to follow the law - that's a tautology - same as any other company. | 17:45 |
rbasak | What answer are you hoping for, exactly? | 17:46 |
bewees | rbasak: Hoping that hardware keys are used in a secured and audited environments for package signing and that only security cleared maintainers have access to them. As for the court order I hope, although legally possible, has not occured yet, or if in very rare cases with one-off keys | 18:55 |
bewees | Worst scenario would be, considering Canonical is UK based, permanent access to the master keys and specific repositories including SNAP repositories is granted to GHCQ used for mass surveillance on nebulous target lists, like we have been presented by Snowden where people who used Tor for privacy were added to a red list although they did not commit any crime | 18:59 |
bewees | Sorry worst scenario would actually be that master keys are in the hands of other entities than five eyes, so latter scenario would be second worst | 19:00 |
JanC | I really don't think there exists any law requiring Canonical to hand over signing keys... | 19:23 |
bewees | JanC: I know those (secret) court orders exist in USA, but I do not know british law, so maybe it works different in the UK :-) | 19:34 |
tomreyn | I think a law requiring (at least individuals) to hand over passwords (secrets) to authorities has been passed in the UK some 5 or so years ago. | 19:37 |
tomreyn | this is what i'm thinking of https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom | 19:38 |
rbasak | bewees: if, hypothetically, Canonical were sharing keys with GCHQ, but this was not public information, then what answer would you expect to receive to your question on public IRC? | 19:39 |
rbasak | I just don't understand what you're expecting in asking the question here. | 19:39 |
JanC | tomreyn: but there is nothing to decrypt with the signing key... | 19:44 |
bewees | tomreyn: Interesting, I think German law does not have that, yet there is coercive detention which can be up to six months | 19:44 |
teward | I think this is one of those impossible questions you'll never get a public forum answer to. IT fits into the category of "Is X secretly doing Y?" and that type of question never gets answered in a public forum. | 19:45 |
teward | this is also a legal question and probably if anywhere would be directed to Canonical Legal, not the Ubuntu Security Team | 19:45 |
teward | also, corporate entities are not required to disclose if they are or are not doing something if it's in accordance with a law. | 19:46 |
bewees | Quick google search revealed UK also the secret courts deployed similar to the US. So I think it is possible by law | 19:52 |
bewees | +has | 19:52 |
JanC | even secret courts have to follow the law | 19:52 |
rbasak | I'd expect a secret court order to come with a gag order, so again you're not going to get any useful information here. | 19:54 |
JanC | and there does not seem to be any laws about handing over signing keys, as those don't hide any information needed for an investigation... | 19:55 |
rbasak | (to be clear, I'm not aware of anything going on like this, but nor would I expect to know about any such thing as I'm not involved in build infrastructure maintenance) | 19:55 |
rbasak | All you're going to be able to do is create conspiracy theories, effectively. It's not possible to find out what might be going secretly by asking in public. | 19:56 |
teward | they're gone rbasak :P | 19:56 |
rbasak | Ah | 19:56 |
teward | they're in #ubuntu-discuss now that tomreyn moved them there. | 19:56 |
rbasak | Anyway, FTR, anybody who cares can rebuild from source. That's something that Free Software makes possible. | 19:56 |
teward | yup | 20:03 |
tomreyn | teward: said discussion had started in -discuss. i had suggested to move it here then, but now that i realized it doesn't really belong here, i though it's better to keep it out of here. | 20:18 |
tomreyn | sorry for the channel hopping, though. | 20:20 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!