Recent site breaches like those at Kernel.org and Linux have prompted the Fedora Project to contact users to change their password and SSH public key before November 30 to avoid having their accounts marked as inactive.
In a message posted on Wednesday to the Developer’s Announcements mailing list, Infrastructure Lead Kevin Fenzi assured users the change was just housekeeping, not the result of a compromise.
The last mass password change at Fedora was three years ago and Fenzi believes that now “is a great time for all Fedora contributors and users to review their security settings and move to ‘best practices’ on their machines.”
The open source organizations is also instituting new rules to enforce the use of strong passwords, with a minimum length of nine characters including the use of both lower and upper case letters, digits and punctuation marks.
As Threatpost reported, Fedora’s infrastructure was compromised back in January but the attacker wasn’t able to make any changes to the operating system’s back end.
Servers at kernel.org weren’t so lucky – the site was hit with a Trojan in August where attackers compromised source code for the Linux kernel and modified SSH files. Weeks later, the Linux Foundation shuttered its website in response and told users to assume any passwords or SSH keys had been compromised.