On 10/13/2011 11:13 AM, Tomas Mraz wrote: > On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote: >> On 10/12/2011 09:59 PM, Mike McGrath wrote: >>> On Wed, 12 Oct 2011, Henrik Nordström wrote: >>> >>>> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath: >>>> >>>>> Lots of people use and share keys across different projects. >>>> >>>> There is no security issue in sharing kes across different projects, >>>> other than that it gives a strong hint that you are the same person in >>>> both projects, much stronger than name or email. >>>> >>> >>> Sorry I didn't explain it very well. >>> >>> 1) People share keys across different projects. >>> 2) We've found PRIVATE keys on our servers >>> 3) We have no reason to believe private keys that can authenticate to >>> Fedora weren't on some of the compromised systems we've heard so much >>> about. >> >> 4) There are indications for keys being shared between indivuals. > Which you dreamed up and made false accusations of. Putting aside the rude tone of your answer, ... ... there were questionable git check-ins from a "package dep mass rebuilt", whose changelog entries were attributed to a different person than that who actually commited the changes (Doing so makes sense when a person submits a substantial patch, but doing so in a "mass rebuild" doesn't). This leaves few conclusions, e.g. - the account owner passed on his ssh keys to another person or granted terminal access to another person, who then missed to disguise himself as the account owner. - the account owner doesn't understand changelog entries and commited a broken changelog entry. Note that I said "indications" - May-be the git server admins could prove this (e.g. checking IPs), but it's close to impossible prove from outside. > But let's suppose > that anyone really shares their private keys on purpose what would > prevent them to share them again if they change them? Nothing - It's a matter of trust. If these people are caught, confronting them with sanctions (close down their Fedora accounts) would be an appropriate means. Ralf -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
