Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
rc040203 at freenet.de
Thu Oct 13 09:32:24 UTC 2011
On 10/13/2011 11:13 AM, Tomas Mraz wrote:
> On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
>> On 10/12/2011 09:59 PM, Mike McGrath wrote:
>>> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>>>> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
>>>>> Lots of people use and share keys across different projects.
>>>> There is no security issue in sharing kes across different projects,
>>>> other than that it gives a strong hint that you are the same person in
>>>> both projects, much stronger than name or email.
>>> Sorry I didn't explain it very well.
>>> 1) People share keys across different projects.
>>> 2) We've found PRIVATE keys on our servers
>>> 3) We have no reason to believe private keys that can authenticate to
>>> Fedora weren't on some of the compromised systems we've heard so much
>> 4) There are indications for keys being shared between indivuals.
> Which you dreamed up and made false accusations of.
Putting aside the rude tone of your answer, ...
... there were questionable git check-ins from a "package dep mass
rebuilt", whose changelog entries were attributed to a different person
than that who actually commited the changes (Doing so makes sense when a
person submits a substantial patch, but doing so in a "mass rebuild"
This leaves few conclusions, e.g.
- the account owner passed on his ssh keys to another person or granted
terminal access to another person, who then missed to disguise himself
as the account owner.
- the account owner doesn't understand changelog entries and commited a
broken changelog entry.
Note that I said "indications" - May-be the git server admins could
prove this (e.g. checking IPs), but it's close to impossible prove from
> But let's suppose
> that anyone really shares their private keys on purpose what would
> prevent them to share them again if they change them?
Nothing - It's a matter of trust.
If these people are caught, confronting them with sanctions (close down
their Fedora accounts) would be an appropriate means.
More information about the devel