Bob Proulx <[email protected]> writes: > Option 3: Do we use the old keys now through the transition but switch > to the new host keys soon after completing the migration? Soon being > 1-2 weeks. This would keep the immediate disruption minimized. It > would allow us to back out of the switch, briefly return to the > previous hosts if problems were found, without thrashing users. > > I have a mixed reaction. Part of me wants to jump immediately to the > longer key. The older keys definitely need to be migrated away. This > would advertise very loudly to all users that things have changed. We > have put in a lot of effort and it will be nice to sing a little about > it. > > But from a risk mitigation point I want to use the old keys just long > enough for us to switch to the new just in case we need to switch back > for a bit. That would actually allow us to ping-pong if needed > without user thrash. Then switch the host keys after we know we are > successfully there. > > Therefore I think we should execute option #3 above. Assaf, Karl, > What do you guys think? Comments?
Personally, I vote for option #3, because it will reduce the number of variables in debugging the inevitable problems that will appear in the transition. But I'm happy to be outvoted by people with more technical expertise, which is all of you. Whenever we do change the keys, we need to make an announcement with the new fingerprint(s) 2-3 days before -- probably to all this mailing list, from the FSF twitter/pump/social account (I think not just fsfstatus for this one, because it will affect so many people), gnu-prog, #fsf, #gnu, #savannah, perhaps in fsf.org/blogs/sysadmin etc. And put the fingerprints prominently on sv.gnu.org itself? The wider we announce the change, the fewer questions we'll get. -john -- John Sullivan | Executive Director, Free Software Foundation GPG Key: A462 6CBA FF37 6039 D2D7 5544 97BA 9CE7 61A0 963B http://status.fsf.org/johns | http://fsf.org/blogs/RSS Do you use free software? Donate to join the FSF and support freedom at <http://my.fsf.org/join>.
