The review of the kernel teams’ processes for signing releases and for the policies and procedures for the handling of the signing keys was sought by the Linux Foundation and conducted by cybersecurity experts at the Open Source Technology Improvement Fund (OSTIF) and Trail of Bits.
“This review resulted in seven recommendations that can help improve the robustness of the security and use of the signing keys for the Linux Kernel,” notes OSTIF in its report.
- Here are the best Linux laptops for running Linux
- Check our roundup of the best Linux distros
- We’ve also rounded up the best security keys
In addition to the recommendation, the report notes that Trail of Bits suggested that kernel developers should flesh out and update the documentation on the procedures and policies in order to help organizations wrap their heads around the current practices.
In addition to highlighting the shortcomings, the report also included a series of recommended mitigations as well.
Notably, the Linux Foundation kernel team members, more or less agreed to most of the suggestions, except for one that goes against the principles of the wider open source community.
The report pointed out that the kernel doesn’t enforce the use of smart cards to store private key material used for GPG or SSH on a separate smart card device for individuals with commit rights on key Linux kernel repositories.
Furthermore, the Linux Foundation’s recommended smartcard Nitrokey doesn’t support touch activation, which the report argues is much better than the passphrase-only protected Nitrokey.
The report notes that the Linux Foundation kernel team members responded to these suggestions by expressing their inability to switch to Yubikey with touch activation, since it is not open source and can’t be trusted for securing critical infrastructure.
However, the developers said they might update their policies to recommend that the current Nitrokeys be physically removed from the administrator’s computer when not in use.
- Subscribe to Linux Format magazine for more Linux and open source goodness