This morning, we announced that we are requiring Fedora contributors to change the passwords and upload new ssh public keys by the end of next month. There’s no breach or cause for alarm, we just thought it would be a good time with all the high profile hacking happening out there for everyone to go look at their security practices and create new keys and passwords (see the announcement for full list).
Please do go and change your password and create a new ssh key at your convenience (but before 2011-11-30).
I’m sorry that the ssh key requirement has caused stress for some contributors, but realize we are not singling anyone out here, there’s good reasons to ask for this change now when it’s not urgent or triggered by outside events. Just a few of them:
- Allow you to revisit your security process and policies and read about best practices
- Allow you to see how to make changes and what machines and places you need to make them in the event you were making a more hurried change
- Allow you to setup a separate ssh key for Fedora matters. This separates out some risk, at the cost of another passphrase and possibly hitting ssh server limits (most allow you to try only 6 keys).
While many of the more savvy Fedora contributors already know these things, and have good practices, we hope that everyone will learn something from this or at least not let it inconvenience them for too long.