On Wed, Oct 12, 2011 at 8:24 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: > On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote: >> On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: >> > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote: >> > >> >> I have no problem with changing the password, but leave my ssh keys >> >> alone, unless there is a real reason to ask people to change them. >> > >> > Reading between the lines of recent attacks, it seems likely that >> > private keys compromised in some of the attacks were used to perform >> > others. (No-one's come out and officially said this yet but it seems >> > pretty obvious from the subtext of some of the reports; I'm thinking >> > kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that >> > some people may have used the same identities on some of the other >> > compromised systems as they are using on FAS, and hence it seems pretty >> > reasonable to require this change. >> >> Not really unless there is any evidence pointing towards that >> direction it is just paranoia. >> Given the number of FAS account you can pretty much always assume that >> some account may be compromised but that's not enough to warrant any >> action. By that logic we should be changing keys daily .... > > There's rather fewer FAS accounts with keys than there are total FAS > accounts. You only need to upload a key if you're a packager, really. ... s/FAS/packager/ ... that wasn't the point. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
