On 3/26/2013 8:39 AM, Roger Serwy wrote: > >> Well if a MITM attacker tries to use your ssh access to do anything >> nasty, >> another developer will probably notice quite quickly. >> (the only "nasty thing" the ssh access allows you to do is "hg push", >> IIRC; still, that can trigger code execution on the buildbots) >> >> > Sure, but it would be better to actually have the fingerprints to avoid > the MITM attack altogether.
I completely agree. "We'll notice the damage" is not a great reason to avoid publishing the fingerprints. > Can someone log into hg.python.org and get the public keys for the server? Not me. But from my hosts, I get: RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01. -- Eric. _______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
