Hi Chris & List,

f.y.i.: the post you linked got retracted by the author because as he states missread the code interpreted it in a wrong way.

Best regards,

Matthias Niethammer

2014-04-09 21:21 GMT+02:00 Chris Frederick <cdf123@cdf123.net>:

On 04/09/14 12:01, Luis Ressel wrote:

On Wed, 09 Apr 2014 18:39:41 +0200
Jo <saos@riseup.net> wrote:

I'm a bit concerned about the signing keys of the portage tree
releases, I know that gpg is not the same as openssl but keeping in
mind that SSH, VPN, HTTPS keys might be compromised for two years,
don't you think it's a healthy measure to generate a new pair of keys?

SSL certifcates and credentials transmitted via SSL on affected servers
should be renewed, but other than that, there's not that much to worry
about as some people think.

It's worth a trip to http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html

It's not impossible that ssl keys could be compromised, but in most cases it shouldn't happen.

Chris