On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote: > On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: > > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote: > > > >> I have no problem with changing the password, but leave my ssh keys > >> alone, unless there is a real reason to ask people to change them. > > > > Reading between the lines of recent attacks, it seems likely that > > private keys compromised in some of the attacks were used to perform > > others. (No-one's come out and officially said this yet but it seems > > pretty obvious from the subtext of some of the reports; I'm thinking > > kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that > > some people may have used the same identities on some of the other > > compromised systems as they are using on FAS, and hence it seems pretty > > reasonable to require this change. > > Not really unless there is any evidence pointing towards that > direction it is just paranoia. > Given the number of FAS account you can pretty much always assume that > some account may be compromised but that's not enough to warrant any > action. By that logic we should be changing keys daily .... There's rather fewer FAS accounts with keys than there are total FAS accounts. You only need to upload a key if you're a packager, really. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
