Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
kevin.kofler at chello.at
Fri Oct 14 02:26:27 UTC 2011
Richard Hughes wrote:
> On 12 October 2011 17:44, Kevin Fenzi <kevin at scrye.com> wrote:
>> All existing users of the Fedora Account System (FAS) at
>> https://admin.fedoraproject.org/accounts are required to change their
>> password and upload a NEW ssh public key before 2011-11-30.
> I have to upload a *new* public key? Why should I have two sets of keys?
(or upload a new key to all the other f***ing servers I'm using)
>> * Nine or more characters with lower and upper case letters, digits and
>> punctuation marks.
>> * Ten or more characters with lower and upper case letters and digits.
>> * Twelve or more characters with lower case letters and digits
>> * Twenty or more characters with all lower case letters.
> This is just insane. My existing password is 8 digits and
> alphanumeric, and given that I have to enter it over and over again
> (and prove "I'm human", another WTF) when creating updates I'm really
> wondering if I want to bother.
> Talk about putting up barriers.
This stupid security paranoia really needs to stop! There is NO concrete
reason why we're being forced to change the password and the SSH key, plus
the new password requirements are too strict. It's bad enough that we have
to generate a new Koji client certificate every 6 months for no reason. (The
expiration time on these should be infinite, only explicitly revoked certs
should be rejected.)
Now after the whole FPCA stuff (which was enforced really radically, with a
tight deadline, mass orphaning of packages and no deadline extension even
though many people hadn't complied by the posted deadline, when the old ICLA
had served us well for years (so why the rush?)), we're going to once again
lose many contributors, and packages with them, due to stupid, unnecessary
and inflexible bureaucratic policies being enforced in an automated and
And once again we're going another step further from TRUSTING our
contributors (to either keep their credentials secure or replace/revoke
them, in this case).
What will come next? Will you start taking our (actual, biometric)
fingerprints? Iris scans? Will we only be able to log into Fedora
infrastructure in the presence of armed security guards? It's time to stop
More information about the devel