On 10/13/2011 11:13 AM, Tomas Mraz wrote:
On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
> On 10/12/2011 09:59 PM, Mike McGrath wrote:
>> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>>
>>> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
>>>
>>>> Lots of people use and share keys across different projects.
>>>
>>> There is no security issue in sharing kes across different projects,
>>> other than that it gives a strong hint that you are the same person in
>>> both projects, much stronger than name or email.
>>>
>>
>> Sorry I didn't explain it very well.
>>
>> 1) People share keys across different projects.
>> 2) We've found PRIVATE keys on our servers
>> 3) We have no reason to believe private keys that can authenticate to
>> Fedora weren't on some of the compromised systems we've heard so much
>> about.
>
> 4) There are indications for keys being shared between indivuals.
Which you dreamed up and made false accusations of.
Putting aside the rude tone of your answer, ...
... there were questionable git check-ins from a "package dep mass
rebuilt", whose changelog entries were attributed to a different person
than that who actually commited the changes (Doing so makes sense when a
person submits a substantial patch, but doing so in a "mass rebuild"
doesn't).
This leaves few conclusions, e.g.
- the account owner passed on his ssh keys to another person or granted
terminal access to another person, who then missed to disguise himself
as the account owner.
- the account owner doesn't understand changelog entries and commited a
broken changelog entry.
Note that I said "indications" - May-be the git server admins could
prove this (e.g. checking IPs), but it's close to impossible prove from
outside.
But let's suppose
that anyone really shares their private keys on purpose what would
prevent them to share them again if they change them?
Nothing - It's a matter of trust.
If these people are caught, confronting them with sanctions (close down
their Fedora accounts) would be an appropriate means.
Ralf