Sad to see another compromise of a Debian host machine. Sad because there exist people who do this, rather than because we got caught out.
Would now be a good time to suggest restricting *.debian.org to key-based-logins only, and avoiding SSH password logins?
I don’t know if all the services could be updated but I figure most could.
Yes this does mandate keeping an SSH key secure, and private, but we already require Debian Developers to do the same thing for a GPG key. Right?
Hell publish your public and private keypairs encrypted to your GPG key ;)
Right that is my post for the day.