Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
seth vidal
skvidal at fedoraproject.org
Wed Oct 12 20:40:07 UTC 2011
On Wed, 2011-10-12 at 22:34 +0200, Tomas Mraz wrote:
> Unnecessary work is kind of punishment.
>
> BTW what prevents the people who do not care about their SSH private key
> security to upload their new SSH key to a compromised system immediately
> after their generate it again?
Nothing prevents them from doing it. But this action, here, today, is
trying to stave off risk from PAST compromises of others systems. It is
not trying to stave off FUTURE compromises.
It's like changing your house locks if you lose your keys. Nothing keeps
you from losing your keys again - but you're completely certain that the
old keys are useless now.
To be clear - this not the only measures we're taking. We're trying to
enhance our security posture so we can be better able to deal with what
appears to now be a commonplace event in the open source development
world.
-sv
More information about the devel
mailing list