--=-qS1V/lnImcC+8p0p3+ll Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 17 octobre 2017 =C3=A0 13:36 +0300, Eyal Edri a =C3=A9crit=C2=A0:
On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer@redhat.com
Quack, =20 So the news (thanks Misc for the alert): =20 https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa -bac kground =20 This affects Yubikeys and other hardware: =C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01= / =20 There's a nice tool to test if a key is vulnerable: =C2=A0 https://github.com/crocs-muni/roca =20 I tested keys in the oVirt Puppet repository and none are affected. =20 You may check your other keys and ensure keys are checked in other projects. =20 Ideally, if someone could verify the key in Gerrit, it would be helpful. I removed mine, but I suspect i am not the only one who
Le mardi 17 octobre 2017 =C3=A0 18:56 +0900, Marc Dequ=C3=A8nes (Duck) = a =C3=A9crit : tried to follow best practices :) =20 =20 If you run the tool locally on your .ssh/ dir, it should include already
wrote: =20 the public key you have on Gerrit no?
Well, I know my key is vulnerable, got notified by Fedora and Github. But I just do not know where I used it exactly, because I have account everywhere, and that's likely that I may forget it in some place.
We'll need to check if its possible to run that tool on Gerrit and if the keys are even stored on the fs and not inside the Gerrit DB.
If they are in the DB, we can extract it with a sql request ILMHO. I plan to look at Gluster's gerrit instance once I finish my own cleanup and key generation, which is a rather tedious task (cause I also found out that my backup key is not working anymore for a unknown reason). --=20 Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS --=-qS1V/lnImcC+8p0p3+ll Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJZ5d7yAAoJEE89Wa+PrSK9QMsQAJhB3Dr8eQTOco4huKrFCDr8 YFTC3wEEQj4ZNPSBcuwQ7Kf/SZOEsHsWUSL3xlPZxq7kWPk1dduu2146Pzw7drZf xHzn/jscRs5UPnSgy9KbaCpZUdQ+vS1EMtSwd+2HSO2Uq98ZiSSuQ5gbXvOMQO8h aEuXiWkdc8wRsKfi9nwheiCTohLqWVb+aCKxjJGfB2ycKXRVhd4LRsotGS+3Jq5x 8Th4/axJlBawUdr+5rLBZ1OE9tdrYIZ/thVI6NhGuOPI9frLNO+qITsxMcNERm0I TT6zdEmZBpt6eXNSJYEttqf49js9cxI7B2CZHTe+xqX+/KSWEEjCkkSoKmN8iHi4 dCD1QM/uSZaGv9q6IcbQmO0wKwavRVJnvC9dRdSEHm3Icf3eXWqsz+tnFemTjkB8 kvlBB0/Tx8nEfc38wPnl4tPYNJtb56CxPd0QiAqIDjSUe+n01LcS1LOk5xqR2L44 vqMhZXOAsBEcoc50GkZRlnT2LiBpkGZsL5kv/Mx6bY7aP0bYMoLvATEezh7G1EVn +gGnvZdhBMURDBQctgMlPd0qUrrU4hcEy0lY9uK4x1tkF0lUqqcq3OYax3jyjk6+ e50TW4bX+igGaehqz52sWWRMOcy+aQFJ3NAnNIjtho3YBlL9al/jhPcVY49GX0UT XKr3VHZ270XVg4Ndklui =BmGJ -----END PGP SIGNATURE----- --=-qS1V/lnImcC+8p0p3+ll--