Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Kevin Kofler kevin.kofler at chello.at
Fri Oct 14 02:26:27 UTC 2011


Richard Hughes wrote:
> On 12 October 2011 17:44, Kevin Fenzi <kevin at scrye.com> wrote:
>> All existing users of the Fedora Account System (FAS) at
>> https://admin.fedoraproject.org/accounts are required to change their
>> password and upload a NEW ssh public key before 2011-11-30.
> 
> I have to upload a *new* public key? Why should I have two sets of keys?

(or upload a new key to all the other f***ing servers I'm using)

+1

>> * Nine or more characters with lower and upper case letters, digits and
>> punctuation marks.
>> * Ten or more characters with lower and upper case letters and digits.
>> * Twelve or more characters with lower case letters and digits
>> * Twenty or more characters with all lower case letters.
> 
> This is just insane. My existing password is 8 digits and
> alphanumeric, and given that I have to enter it over and over again
> (and prove "I'm human", another WTF) when creating updates I'm really
> wondering if I want to bother.
> 
> Talk about putting up barriers.

+1 again!

This stupid security paranoia really needs to stop! There is NO concrete 
reason why we're being forced to change the password and the SSH key, plus 
the new password requirements are too strict. It's bad enough that we have 
to generate a new Koji client certificate every 6 months for no reason. (The 
expiration time on these should be infinite, only explicitly revoked certs 
should be rejected.)

Now after the whole FPCA stuff (which was enforced really radically, with a 
tight deadline, mass orphaning of packages and no deadline extension even 
though many people hadn't complied by the posted deadline, when the old ICLA 
had served us well for years (so why the rush?)), we're going to once again 
lose many contributors, and packages with them, due to stupid, unnecessary 
and inflexible bureaucratic policies being enforced in an automated and 
draconian way.

And once again we're going another step further from TRUSTING our 
contributors (to either keep their credentials secure or replace/revoke 
them, in this case).

What will come next? Will you start taking our (actual, biometric) 
fingerprints? Iris scans? Will we only be able to log into Fedora 
infrastructure in the presence of armed security guards? It's time to stop 
the nonsense!

        Kevin Kofler



More information about the devel mailing list