Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach <lautrbach@redhat.com>]

Paul Moore <paul@paul-moore.com> writes:

> On Thu, Jan 15, 2026 at 1:30 PM Paul Moore <paul@paul-moore.com> wrote:
>> On Thu, Jan 15, 2026 at 12:02 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> > Paul Moore <paul@paul-moore.com> writes:
>> >
>> > > On Thu, Jan 15, 2026 at 3:01 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> > >>
>> > >> "68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey.
>> > >
>> > > Okay, in this case you need to get this new key signed by other
>> > > individuals trusted by the SELinux community before we can consider
>> > > including it in the SECURITY.md file.
>> > >
>> >
>> > My idea was:
>> >
>> > Before this patch my address was there without gpg fingerprint. It means
>> > that I could be contacted directly via un-encrypted email.
>>
>> Yes.  However, I believe there are usually different levels of trust
>> associated with plaintext and encrypted email.
>>
>> > The key I used in this patch was already used for SELinux userspace
>> > release ...
>>
>> I think the understanding was that release signing would be done by
>> individuals with a GPG key signed by others in the SELinux community
>> to help establish trust.  However, as you pointed out I don't think we
>> documented that requirement or enforced it properly, we should do so
>> in the future.
>>
>> > ... public key is available at 2 different locations connected to
>> > me - github (I'm part of SELinux organization) and
>> > plautrba.fedorapeople.org (I'm a packager for 15+ years) and it's also
>> > used in Fedora [1] and RHEL [2] - only Red Hat employees can push there and it
>> > was me who pushed [3]. That being said I expected that the key is
>> > already trusted due to all the records.
>>
>> While that demonstrates some level of trust between that user/key and
>> those organizations (GH, Fedora, IBM/RH), it doesn't establish a level
>> of trust between that user/key and the SELinux community.
>
> ... and I should say that I have no reason to believe you are not the
> Good Petr who is a valued member of the SELinux community, but there
> are rumors of an Evil Petr and I just want to make sure we do the
> right thing from a community perspective ;)
>
> Apologies for what may seem like excessive pedantry on this.
>

You should probably consider to remove bachradsusi account from Github
SELinuxProject org and remove them commit rights. They provided
https://github.com/bachradsusi.gpg with public keys they can't confirm
that private keys are really in hands of Petr:

E853C1848B0185CF42864DF363A8AD4B982C4373 - uses SHA1 and private keys
are lost - according to me, so it would be better to contact Petr with
encrypted message and ask him to sign a response. But it could take some
time to get a response for him.

68D21823342A13683AEB3E4EFB4C685B5DC1C13E - not signed by any SELinux
team member.

There's a risk that they'll change released files and files signatures.

Petr