[edp]

The fact that users have to delete the old Github key from their systems and accept a new one is what could lead to a MITM attack.

If your system doesn't know the public key of an SSH server, when you connect the first time, the SSH client will display a warning and ask you if you accept the server key. An attacker could be between you and Github and if you accept without checking it's the correct key, you would be toast.

[pbhjpbhj]

Would it be more secure to access a https secured server to get the keyfile then?

[tialaramex]

Yes, GitHub's announcement provides the correct new public RSA key, and it also provides instructions for a curl invocation which does all the work if you don't trust yourself to copy-paste text or don't understand how.

[dheera]

Only if the https server cert wasn't compromised at the same time as the ssh key. For all we know, this entire announcement of "we have a new key" could be staged.