On Wed, 2011-10-12 at 14:16 -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
> > On Wed, 12 Oct 2011, Simo Sorce wrote:
> >
> > > On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
> > > > On Wed, 12 Oct 2011 13:30:19 -0400
> > > > Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> > > >
> > > > > I have a question not covered here: I just changed my ssh key a week
> > > > > or two ago in the wake of the kernel.org compromise...
> > > > >
> > > > > Is my new key sufficient? I really don't want to have to re-distribute
> > > > > my key to all of the various servers again.
> > > >
> > > > Well, we talked about this some, but we don't have fingerprints from
> > > > several weeks ago to check people against to confirm they uploaded a
> > > > new key.
> > > >
> > > > Would it be possible for you to just make a new fedora only key?
> > >
> > > Can you stop asking useless security theater measures instead ?
> > >
> > > My ssh keys are fine and I see no reason to change them for you.
> > > If all projects I participate in were to ask me to change my keys I
> > > would end up with a mess of different keys for absolutely no reason.
> > >
> > > I have no problem with changing the password, but leave my ssh keys
> > > alone, unless there is a real reason to ask people to change them.
> > >
> >
> > Look at it this way, your keys and password may be fine. Can you say the
> > same about every other Fedora contributor? It not, what criteria would
> > you use to say who should and shouldn't change their passwords and keys?
>
> Given the way passwords are used I see no issue in asking them to be
> changed, they are very easy to steal in our current system, so I don't
> complain about that.
>
> Ssh keys are a different matter, they are generally much more secure as
> they are not easily distributed or easy to steal, and changing them is
> no assurance the new ones are not as compromised. (see previous mail)
>
> > Lots of people use and share keys across different projects. Lots of bad
> > stuff is going down, we don't have much information on what's been
> > compromised where, who or how. It might seem like theater to you.
> > You're very in tuned with the feng-shui of security and you are probably
> > fine. But not all of our contributors can say that.
>
> Storing a public key is not an issue, so the fact I use my key with
> different projects has absolutely no bearing on my exposure, zero,
> zilch. Unless I store my *private* keys on non-personal machines.
>
> The problem is that blindly changing keys if a contributor is being
> careless accomplishes exactly nothing, and just burdens all careful
> ones.
>
> If you have evidence of contributors being careless with SSH keys the
> only recourse is to identify and educate the offenders requiring them to
> change those keys and not have a 'hit 100 to educate 1' policy that
> serves little or no purpose.
+1^10
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
