[pquerna]

Yeah, but... shouldn't Github of rotated their keys over the last decade?

I mean it seems like its clearly a key that wasn't in an HSM.. and over the lifetime, hundreds? Thousands of Github employees could of accessed it?

[kelnos]

The problem with rotating this particular private key is that it's incredibly disruptive. Everyone who uses GH will see a big scary message from ssh saying the host key changed and something malicious might be going on. A majority of those people probably won't have seen a blog post announcing the change beforehand.

Anyone who's baked the host key in the known_hosts file that gets shipped on their CI systems would start to see jobs failing, and have to manually fix it up with the new host key.

These things are just annoying enough that I think it's perfectly understandable that GH doesn't want to regularly rotate this private key.

[computerfriend]

The point of host-key rotation is that you can avoid the disruption of the former.

[p1mrx]

Congrats, you just used "would of", "should of", and "could of" in a single thread.