Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Ralf Corsepius rc040203 at freenet.de
Thu Oct 13 09:32:24 UTC 2011 

On 10/13/2011 11:13 AM, Tomas Mraz wrote:
> On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
>> On 10/12/2011 09:59 PM, Mike McGrath wrote:
>>> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>>>
>>>> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
>>>>
>>>>> Lots of people use and share keys across different projects.
>>>>
>>>> There is no security issue in sharing kes across different projects,
>>>> other than that it gives a strong hint that you are the same person in
>>>> both projects, much stronger than name or email.
>>>>
>>>
>>> Sorry I didn't explain it very well.
>>>
>>> 1) People share keys across different projects.
>>> 2) We've found PRIVATE keys on our servers
>>> 3) We have no reason to believe private keys that can authenticate to
>>> Fedora weren't on some of the compromised systems we've heard so much
>>> about.
>>
>> 4) There are indications for keys being shared between indivuals.
> Which you dreamed up and made false accusations of.

Putting aside the rude tone of your answer, ...

... there were questionable git check-ins from a "package dep mass 
rebuilt", whose changelog entries were attributed to a different person 
than that who actually commited the changes (Doing so makes sense when a 
person submits a substantial patch, but doing so in a "mass rebuild" 
doesn't).

This leaves few conclusions, e.g.
- the account owner passed on his ssh keys to another person or granted 
terminal access to another person, who then missed to disguise himself 
as the account owner.
- the account owner doesn't understand changelog entries and commited a 
broken changelog entry.

Note that I said "indications" - May-be the git server admins could 
prove this (e.g. checking IPs), but it's close to impossible prove from 
outside.

 > But let's suppose
> that anyone really shares their private keys on purpose what would
> prevent them to share them again if they change them?

Nothing - It's a matter of trust.

If these people are caught, confronting them with sanctions (close down 
their Fedora accounts) would be an appropriate means.

Ralf

More information about the devel mailing list