Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[RFC] impact on template downloads in view of SKS Keyserver Network Attack #3068
To my humble understanding the template downloads are verifying signatures via SKS and thus appreciate clarification whether and to which potential extent the download process could be impacted by
SKS Keyserver Network Under Attack
My understanding is that the SKS attack effectively allows for replacing a valid public key entry with a broken/unreadable one, effectively preventing the retrieval of the public key from the SKS network.
So that's effectively a DoS attack. It will not allow an attacker to replace the key with their own so they will not be able to cause systems running LXC to run compromised content.
I think that in the next LXC release, we'll want to take the same approach we did with LXD and remove the GPG handling code, instead requiring the index files be downloaded over HTTPs and then validate the artifacts against the signatures found in those index files.