savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] SSH host keys for the new machine?

From: John Sullivan
Subject: Re: [Savannah-hackers-public] SSH host keys for the new machine?
Date: Sun, 30 Oct 2016 21:35:23 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) 
Bob Proulx <address@hidden> writes:

> Option 3: Do we use the old keys now through the transition but switch
> to the new host keys soon after completing the migration?  Soon being
> 1-2 weeks.  This would keep the immediate disruption minimized.  It
> would allow us to back out of the switch, briefly return to the
> previous hosts if problems were found, without thrashing users.
>
> I have a mixed reaction.  Part of me wants to jump immediately to the
> longer key.  The older keys definitely need to be migrated away.  This
> would advertise very loudly to all users that things have changed.  We
> have put in a lot of effort and it will be nice to sing a little about
> it.
>
> But from a risk mitigation point I want to use the old keys just long
> enough for us to switch to the new just in case we need to switch back
> for a bit.  That would actually allow us to ping-pong if needed
> without user thrash.  Then switch the host keys after we know we are
> successfully there.
>
> Therefore I think we should execute option #3 above.  Assaf, Karl,
> What do you guys think?  Comments?

Personally, I vote for option #3, because it will reduce the number of
variables in debugging the inevitable problems that will appear in the
transition.

But I'm happy to be outvoted by people with more technical expertise,
which is all of you.

Whenever we do change the keys, we need to make an announcement with the
new fingerprint(s) 2-3 days before -- probably to all this mailing list,
from the FSF twitter/pump/social account (I think not just fsfstatus for
this one, because it will affect so many people), gnu-prog, #fsf, #gnu,
#savannah, perhaps in fsf.org/blogs/sysadmin etc. And put the
fingerprints prominently on sv.gnu.org itself? The wider we announce the
change, the fewer questions we'll get.

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: A462 6CBA FF37 6039 D2D7 5544 97BA 9CE7 61A0 963B
http://status.fsf.org/johns | http://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
<http://my.fsf.org/join>.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]