Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

[drago01]

On Wed, Oct 12, 2011 at 8:24 PM, Adam Williamson <awilliam at redhat.com> wrote:
> On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote:
>> On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam at redhat.com> wrote:
>> > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>> >
>> >> I have no problem with changing the password, but leave my ssh keys
>> >> alone, unless there is a real reason to ask people to change them.
>> >
>> > Reading between the lines of recent attacks, it seems likely that
>> > private keys compromised in some of the attacks were used to perform
>> > others. (No-one's come out and officially said this yet but it seems
>> > pretty obvious from the subtext of some of the reports; I'm thinking
>> > kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
>> > some people may have used the same identities on some of the other
>> > compromised systems as they are using on FAS, and hence it seems pretty
>> > reasonable to require this change.
>>
>> Not really unless there is any evidence pointing towards that
>> direction it is just paranoia.
>> Given the number of FAS account you can pretty much always assume that
>> some account may be compromised but that's not enough to warrant any
>> action. By that logic we should be changing keys daily ....
>
> There's rather fewer FAS accounts with keys than there are total FAS
> accounts. You only need to upload a key if you're a packager, really.

... s/FAS/packager/ ... that wasn't the point.