Le mardi 17 octobre 2017 à 13:36 +0300, Eyal Edri a écrit : > On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <[email protected] > > > wrote: > > > Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a > > écrit : > > > Quack, > > > > > > So the news (thanks Misc for the alert): > > > > > > https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa > > > -bac > > > kground > > > > > > This affects Yubikeys and other hardware: > > > https://www.yubico.com/support/security-advisories/ysa-2017-01/ > > > > > > There's a nice tool to test if a key is vulnerable: > > > https://github.com/crocs-muni/roca > > > > > > I tested keys in the oVirt Puppet repository and none are > > > affected. > > > > > > You may check your other keys and ensure keys are checked in > > > other > > > projects. > > > > Ideally, if someone could verify the key in Gerrit, it would be > > helpful. I removed mine, but I suspect i am not the only one who > > tried > > to follow best practices :) > > > > If you run the tool locally on your .ssh/ dir, it should include > already > the public key you have on Gerrit no?
Well, I know my key is vulnerable, got notified by Fedora and Github. But I just do not know where I used it exactly, because I have account everywhere, and that's likely that I may forget it in some place. > We'll need to check if its possible to run that tool on Gerrit and if > the > keys are even stored on the fs and not inside the Gerrit DB. If they are in the DB, we can extract it with a sql request ILMHO. I plan to look at Gluster's gerrit instance once I finish my own cleanup and key generation, which is a rather tedious task (cause I also found out that my backup key is not working anymore for a unknown reason). -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
