On Wed, 12 Oct 2011, Simo Sorce wrote: > On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote: > > On Wed, 12 Oct 2011 13:30:19 -0400 > > Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > > > > I have a question not covered here: I just changed my ssh key a week > > > or two ago in the wake of the kernel.org compromise... > > > > > > Is my new key sufficient? I really don't want to have to re-distribute > > > my key to all of the various servers again. > > > > Well, we talked about this some, but we don't have fingerprints from > > several weeks ago to check people against to confirm they uploaded a > > new key. > > > > Would it be possible for you to just make a new fedora only key? > > Can you stop asking useless security theater measures instead ? > > My ssh keys are fine and I see no reason to change them for you. > If all projects I participate in were to ask me to change my keys I > would end up with a mess of different keys for absolutely no reason. > > I have no problem with changing the password, but leave my ssh keys > alone, unless there is a real reason to ask people to change them. > Look at it this way, your keys and password may be fine. Can you say the same about every other Fedora contributor? It not, what criteria would you use to say who should and shouldn't change their passwords and keys? Lots of people use and share keys across different projects. Lots of bad stuff is going down, we don't have much information on what's been compromised where, who or how. It might seem like theater to you. You're very in tuned with the feng-shui of security and you are probably fine. But not all of our contributors can say that. -Mike -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
