I think a "security event driven" change policy would be more
effective than an arbitrary change policy driven by a deadline.
LinuxCode asked me about this in #fedora-noc after I mentioned:
"... there is conflicting evidence (one might call it 'opinion' more
than evidence) as to whether frequent changes are effective ... just a
The article that precipitated this comment was one published by Bruce
Schneier . Again, this is "yet another opinion."