-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 13, 2008, at 7:12 PM, Martin v. Löwis wrote:
If you generated your python subversion ssh key during this time on a
machine fitting the description above, please consider replacing your
keys.
apt-get update ; apt-get upgrade on debian will provide you with a
ssh-vulnkey program that can be used to test if your ssh keys are
valid or not.
I'll ping all committers for which ssh-vulnkey reports COMPROMISED.
I personally don't think the threat is severe - unless people also
published their public SSH keys somewhere, there is little chance that
somebody can break in by just guessing them remotely - you still need
to try a lot of combinations for user names and passwords, plus with
subversion, we'll easily recognize doubtful checkins (as we do even
if the committer is legitimate :-).
It's also probably worth checking the keys for everyone who has shell
access on the python.org machines.
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iQCVAwUBSCpCXHEjvBPtnXfVAQLy5gP+MZJ7/RKDqw9QKvNr9rlGm7GjOBkuWR3B
UA91clzb4Iuy+51+V4B3iUcdmwGtpfYum8/2+1/qpi7abO/IiIQvvOKczQzkv5XL
ALh59zR2iiBuNg1BVW0JPdkyNt6qr2oe8kKdUZfyrwRSKIukX+e40Oa+1zvfp0E7
9AumiqMUCtI=
=EXC8
-----END PGP SIGNATURE-----
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
