Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Tomas Mraz
tmraz at redhat.com
Wed Oct 12 20:13:11 UTC 2011
On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>
> > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> >
> > > Lots of people use and share keys across different projects.
> >
> > There is no security issue in sharing kes across different projects,
> > other than that it gives a strong hint that you are the same person in
> > both projects, much stronger than name or email.
> >
>
> Sorry I didn't explain it very well.
>
> 1) People share keys across different projects.
> 2) We've found PRIVATE keys on our servers
> 3) We have no reason to believe private keys that can authenticate to
> Fedora weren't on some of the compromised systems we've heard so much
> about.
>
> You have to remember, lots of our contributors aren't highly technical.
> Some don't even know what a private key is. They just follow the docs on
> the website and get access to contribute. Not everyone is a packager.
OK, but then you should not penalize also the people who keep their SSH
private keys only on safe private computers.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the devel
mailing list