[RFC] OpenWrt impacted by SKS Keyserver Network Attack?

Not scare mongering but certainly appreciate clarification whether this could have a potential impact on the OpenWrt infrastructure a/o software?

Since it mostly pertains to PGP communication I would reckon rather not?

While it will be hurtful to anyone using gpg/ pgp, it doesn't have any immediate effect on OpenWrt, nor is it actually an attack vector for injecting compromised code (neither into OpenWrt, not GnuPG). Could it eventually have negative effects on the buildbot infrastructure - possibly (albeit not very likely), but also not fatally (temporary denial of service, not an actual security implication).

That was the concern since the gpg/pgp cryptographic keys are not just utilised in (now supposedly) secure communication but means of verification in various other scenarios and considering the potential outfall

  • If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation.

Of course, if such gpg/pgp cryptographic keys are in not in play then there is not risk