Thanks for pointing this out, @oli. There’s no need for concern. Back in 2021, Joanna decided to stop signing canaries, and the Qubes security team (QST) agreed to allow her to stop signing them. It looks like we just forgot to remove her name from this page when that happened.
Joanna’s final signed canary was Canary 028, which was published on 2021-08-31. Included in that canary was a special announcement explaining that Joanna would no longer be signing canaries. In addition, two PGP-signed letters were included alongside the canary: one from Joanna, explaining why she decided to stop signing canaries after that point, and one from the QST (i.e., Marek and Simon), explaining why they accepted Joanna’s decision. Here are all the GitHub links to the specific files in the Qubes security pack (qubes-secpack):
Canary 028 and sigs:
- canary-028-2021.txt
- canary-028-2021.txt.sig.joanna
- canary-028-2021.txt.sig.marmarek
- canary-028-2021.txt.sig.simon
Joanna’s letter and sig:
Qubes security team letter and sigs:
- canary-028-2021-letter-qst.txt
- canary-028-2021-letter-qst.txt.sig.marmarek
- canary-028-2021-letter-qst.txt.sig.simon
As always, we encourage everyone to authenticate these signatures themselves.
I’ve now removed Joanna from the list of security team members. I’ve also added an update to the Qubes Security Team Update from 2018 stating that the decision to have Joanna sign canaries in perpetuity was subsequently reversed.
However, I must correct one inaccuracy. You wrote:
The canary itself does not say this. Rather, the news post announcing the canary says it in an ancillary informational section about Qubes canaries in general. This is an important distinction, since only the canary itself is signed by the QST. In fact, this very point is addressed two paragraphs later, where it says:
In addition, the ancillary informational section does not merely say that a missing signature is an indication that something is wrong. It says (emphasis added):
In this case, there were full PGP-signed explanations from all parties involved, and the event was announced in advance. That is, Joanna signed Canary 028, which included the special announcement that she would stop signing future canaries alongside the signed letters from both parties, then subsequently stopped signing canaries. It’s not as though she suddenly stopped signing them and the project tried to explain away her sudden lack of signing after the fact. It was an orderly, planned, and pre-announced event.