You may have heard of it: I’m speaking about DSA-1571-1. Read more about it on the pages “Key Rollover“, or “SSLkeys“.

And no, I don’t put it off lightly, like tuxchick did lately, nor do I blame any Debian people or anyone else - we’re only human, after all. But think about the consequences, like Erich did.

For me, that meant for instance that with fixing my setups on my local and remote Etch systems, I had to take care not to lock myself out of my older (and not vulnerable) Sarge servers with just generating new keys. The same applies if you made keys and used them for instance in your OpenWrt (or other) routers. Or for (SSL-) certificates. Or Tor. The possibilities are endless.

It’s even an issue if you set up a new Ubuntu Hardy system with the shiny new CDs which come fresh out of Canonical’s shop - the host keys are generated before you’ll get any updates over the network!

Maybe that is why Steinar explains us the maths, why Daniel calls it the “Worst Debian day ever“, or why Steve thinks that “Fixing this will take years, probably“. And it affects half of the world, tho most end users probably won’t be thinking about the large number of servers which run their services (I bet most people still don’t know that each and every email or chat or whatever runs through Debian servers somewhere out there).

But, like Michal said, “Everything bad is good for something” - so let’s roll up our sleeves and get to work. I’m halfway through already, I hope. Let’s see if I forgot something…

So - for all the sysadmins out there: think twice, and then again. And for the end users who rely on someone else (like an ISP or some “managed hosting”) to run their stuff: ask them if they heard about DSA-1571-1.