Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Mike McGrath mmcgrath at redhat.com
Wed Oct 12 20:22:06 UTC 2011


On Wed, 12 Oct 2011, Tomas Mraz wrote:

> On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
> > On Wed, 12 Oct 2011, Henrik Nordström wrote:
> >
> > > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> > >
> > > > Lots of people use and share keys across different projects.
> > >
> > > There is no security issue in sharing kes across different projects,
> > > other than that it gives a strong hint that you are the same person in
> > > both projects, much stronger than name or email.
> > >
> >
> > Sorry I didn't explain it very well.
> >
> > 1) People share keys across different projects.
> > 2) We've found PRIVATE keys on our servers
> > 3) We have no reason to believe private keys that can authenticate to
> > Fedora weren't on some of the compromised systems we've heard so much
> > about.
> >
> > You have to remember, lots of our contributors aren't highly technical.
> > Some don't even know what a private key is.  They just follow the docs on
> > the website and get access to contribute.  Not everyone is a packager.
>
> OK, but then you should not penalize also the people who keep their SSH
> private keys only on safe private computers.
>

First, asking people to change their key is work, not punishment.

Second, we have no idea how to figure out who has uploaded their private
keys to compromised systems that we don't run.  If you know how we're all
ears :)  That's the problem with these things, coming up with criteria of
who should and who shouldn't is nearly impossible so one bad apple is
spoiling the bunch.  It stinks but it happens.

	-Mike


More information about the devel mailing list