Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
mmcgrath at redhat.com
Wed Oct 12 18:04:15 UTC 2011
On Wed, 12 Oct 2011, Simo Sorce wrote:
> On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
> > On Wed, 12 Oct 2011 13:30:19 -0400
> > Jeff Layton <jlayton at redhat.com> wrote:
> > > I have a question not covered here: I just changed my ssh key a week
> > > or two ago in the wake of the kernel.org compromise...
> > >
> > > Is my new key sufficient? I really don't want to have to re-distribute
> > > my key to all of the various servers again.
> > Well, we talked about this some, but we don't have fingerprints from
> > several weeks ago to check people against to confirm they uploaded a
> > new key.
> > Would it be possible for you to just make a new fedora only key?
> Can you stop asking useless security theater measures instead ?
> My ssh keys are fine and I see no reason to change them for you.
> If all projects I participate in were to ask me to change my keys I
> would end up with a mess of different keys for absolutely no reason.
> I have no problem with changing the password, but leave my ssh keys
> alone, unless there is a real reason to ask people to change them.
Look at it this way, your keys and password may be fine. Can you say the
same about every other Fedora contributor? It not, what criteria would
you use to say who should and shouldn't change their passwords and keys?
Lots of people use and share keys across different projects. Lots of bad
stuff is going down, we don't have much information on what's been
compromised where, who or how. It might seem like theater to you.
You're very in tuned with the feng-shui of security and you are probably
fine. But not all of our contributors can say that.
More information about the devel