On Mon, Apr 14, 2014 at 5:54 PM, Alex Legler <a...@gentoo.org> wrote: > On 09.04.2014 18:39, Jo wrote: >> Hi all, this is my first post in this list, so again Hi all! >> >> I'm a bit concerned about the signing keys of the portage tree releases, >> I know that gpg is not the same as openssl but keeping in mind that SSH, >> VPN, HTTPS keys might be compromised for two years, don't you think it's >> a healthy measure to generate a new pair of keys? > > GPG private keys are kept and used nowhere near any server processes, > not transferred via HTTPS or any VPNs, and SSH is not affected. I don't > see an immediate need to rotate them.
Agree. Also, in a few months whenever the new GPG policy GLEP is implemented I suspect that many keys will be regenerated anyway. Rich
