-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simetrical:
they were created on a vulnerable OpenSSL version not on the toolserver. Given that Brion disabled some people's commit keys, I take it that it's possible to tell whether a key is compromised just by examining the public key. Do you plan to do that, or allow people with compromised keys to continue to log in? Or is that a false dilemma?
as you can read in my previous mail to the list (a couple of minutes ago) affected keys have been disabled. however, not all broken keys can be detected automatically, just most of them.
- river.