1 |
On 09.04.2014 18:39, Jo wrote: |
2 |
> Hi all, this is my first post in this list, so again Hi all! |
3 |
> |
4 |
> I'm a bit concerned about the signing keys of the portage tree releases, |
5 |
> I know that gpg is not the same as openssl but keeping in mind that SSH, |
6 |
> VPN, HTTPS keys might be compromised for two years, don't you think it's |
7 |
> a healthy measure to generate a new pair of keys? |
8 |
|
9 |
GPG private keys are kept and used nowhere near any server processes, |
10 |
not transferred via HTTPS or any VPNs, and SSH is not affected. I don't |
11 |
see an immediate need to rotate them. |
12 |
|
13 |
-- |
14 |
Alex Legler <a3li@g.o> |
15 |
Gentoo Security/Ruby/Infrastructure |