From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CA44A138A1F for ; Wed, 9 Apr 2014 17:02:06 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AA5DFE0BFB; Wed, 9 Apr 2014 17:01:34 +0000 (UTC) Received: from wp260.webpack.hosteurope.de (wp260.webpack.hosteurope.de [80.237.133.29]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 51717E0BB8 for ; Wed, 9 Apr 2014 17:01:32 +0000 (UTC) Received: from [2001:470:71db:7e9:8f4:b297:9485:a2bb] (helo=gentp.lnet); authenticated by wp260.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) id 1WXvsQ-0001Tr-QE; Wed, 09 Apr 2014 19:01:30 +0200 Received: from gentp.lnet (gentp.lnet [IPv6:::1]) by gentp.lnet (Postfix) with ESMTP id E8993260039 for ; Wed, 9 Apr 2014 19:01:29 +0200 (CEST) Date: Wed, 9 Apr 2014 19:01:16 +0200 From: Luis Ressel To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] Regeneration of gpg keys after HeartBleed Message-ID: <20140409190116.1d973698@gentp.lnet> In-Reply-To: <534577CD.7090706@riseup.net> References: <534577CD.7090706@riseup.net> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/Z4_VfGO7dkrWzlcIEhmJpq."; protocol="application/pgp-signature" X-bounce-key: webpack.hosteurope.de;aranea@aixah.de;1397062893;b6bdba75; X-Archives-Salt: d427b456-546f-429d-980d-b8631b5dd6cf X-Archives-Hash: 12c9c4b997e95b6a068a982ff7a65579 --Sig_/Z4_VfGO7dkrWzlcIEhmJpq. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 09 Apr 2014 18:39:41 +0200 Jo wrote: > I'm a bit concerned about the signing keys of the portage tree > releases, I know that gpg is not the same as openssl but keeping in > mind that SSH, VPN, HTTPS keys might be compromised for two years, > don't you think it's a healthy measure to generate a new pair of keys? It seems highly unlikely that GPG keys got compromised. This could only have happened if either private GPG keys were transmitted via an OpenSSL encrypted connection, or if the information leak created a secondary attack vector. SSL certifcates and credentials transmitted via SSL on affected servers should be renewed, but other than that, there's not that much to worry about as some people think. Regards, Luis Ressel --Sig_/Z4_VfGO7dkrWzlcIEhmJpq. Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQJ8BAEBCgBmBQJTRXzcXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBMjU3MDBFQTc5QkYzMkY4NEQzMTFGNDlD NzE4OTFBNkEwRUZCN0U5AAoJEMcYkaag77fp7xUP/1KGnSz/nx9Bq2J1GYaTwNJy bMo2QSPLMCH9FaixIDOuHEG50Cmrh6Rv1HNRM2DxnMRAklv+7G+qjvMZhXnF9XJd eKdt3i5frKH2ZkUYxV9jldrgNCu/mJUXaNm7Zu0QpUC+Xn6Z6q7Sg5MPKO/HwCUh bTZX6dc+t48Ynz4hE3MDEWcrVuH8njOZvZXwUqQ+T8Elrc9q9vlU5GP0lmN1pQ13 YVKXFwmzhKG5VWmUOY2aL/zx03xgmsCuH4Bta4XiqVTAVEkyA2pIkCH6hVU2zUcC z+md0erf/AZnel2z43/thSVE9d1fV1m8gQSr2BHwV2Jwub328dXDYz7Z0N49g/EZ +u7CjnbLGU1u2ptSdLaWWDDQrzii2fbUD9zEr1ymJxx6gPItUBirD54ZPfpEya/a JFYnqooV1m+lDXtFhSx14uEoYPPd2zy3st3R69iLWC8Cy1GvI4qXzY7UDdJ2p14q jxt/77V+xlBAQirghnx+S/C9VWltpHacyb0mnMwFJxCEvHg9NPLbToC3x5QTmA6g /vAB433h4/c2e7orYEj1L8vz+K62c0xaMIBO1cv+630ehzFXCU+XSwImitfowf1T NSnkBPBEySgiccP4mXOpwL6qVLQtIjGNcjC+4DZNXIcyr9BKor0s9n9OteHndniZ DDb+dTE+7HW72Z29FwJ/ =FD2Q -----END PGP SIGNATURE----- --Sig_/Z4_VfGO7dkrWzlcIEhmJpq.--