On Wed, 09 Apr 2014 18:39:41 +0200 Jo <s...@riseup.net> wrote: > I'm a bit concerned about the signing keys of the portage tree > releases, I know that gpg is not the same as openssl but keeping in > mind that SSH, VPN, HTTPS keys might be compromised for two years, > don't you think it's a healthy measure to generate a new pair of keys?
It seems highly unlikely that GPG keys got compromised. This could only have happened if either private GPG keys were transmitted via an OpenSSL encrypted connection, or if the information leak created a secondary attack vector. SSL certifcates and credentials transmitted via SSL on affected servers should be renewed, but other than that, there's not that much to worry about as some people think. Regards, Luis Ressel
signature.asc
Description: PGP signature
