My bet is we are going to see more and more of this, as fallout from the kernel.org crack.<p>Kernel.org said "Don't worry about linux, the source tree is in git and tamper-proof. All they messed with was SSH. It was amateur, really." (Some paraphrasing.)<p>Well, a modified SSH could easily log interesting details that pass through it. So if you used [ed: gpg] private key forwarding, the crackers have your private key. [ed: See <a href="http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#sec" rel="nofollow">http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#se...</a> for the SSH vulnerabilities.]<p>The only question is how fast the attackers have moved. Blitz all the servers at once, or try to carefully lay something individually tailored and undetectable. It's been long enough for either.<p>edit: Erroneous simplification, sorry. The attacker could imitate you on the remote system. This is not the same as having your ssh private key (my bad) but the result is the same. The third party server you connected to through kernel.org is compromised.<p>edit edit: But check your gpg keys! Gpg signing does require the full private key on the remote system. If you signed any files on kernel.org with forwarding, they could have your gpg private key. (Though this might need modification to gpg, which was not mentioned by kernel.org.)