On Mon, 2011-09-12 at 12:01 -0400, Adam M. Dutko wrote:
I think a "security event driven" change policy would be more effective than an arbitrary change policy driven by a deadline.
LinuxCode asked me about this in #fedora-noc after I mentioned:
"... there is conflicting evidence (one might call it 'opinion' more than evidence) as to whether frequent changes are effective ... just a thought"
The article that precipitated this comment was one published by Bruce Schneier [0]. Again, this is "yet another opinion."
I'm not arguing about the efficacy of frequent changes. Nor am I recommending we do it often. I'm saying right now, here, today, we force a change.
Not once a month Not once every 3 months Not at any fixed schedule. Not on a boat Not with a goat.
-sv