Google Summer of Code/2018/Ideas/Improve OpenPGP support for bugzilla
Currently the OpenPGP bugzilla support is defunct in at least three ways:
- It encrypts to the first public key it considers viable, not respecting usage flags, leading to scenarios where the message is un-decryptable.
- There is no mechanism for refreshing public keys from known public sources (e.g HKP keyservers) leading to a situation where subkey rotation or changers to primary certificate (e.g due to expiry or revocation) is not picked up automatically and needs to be manually adjusted, failure to do so can lead to encryption to a known non-viable certificate.
- There is no group definition where multiple public keys can be assigned e.g to an alias account (security@) in bugzilla.
Having support for OpenPGP is necessary to retain confidentiality of restricted bugs in bugzilla, a lack of this results in information leakage. Alternatively, bug emails for group restricted bugs should not include metadata or data that can identify the issue, but merely report e.g "bug XXX has been updated, please log in to see the changes"
More details and proposed approaches are discussed here.