GNOME has reacted and removed all blacklisted SSH keys from their authorized_keys, which is the minimum you should do to ensure safety.

For all I know, sourceforge.net has not yet done so (I didn’t check if I could have logged in with my old key, though - maybe they installed the blacklist in the SSH server, not touching the users’ keys; there is no blacklist in /etc/ssh though). authorized_keys files are world-readable, so I can login at sourceforge and read other users’ authorized_keys. With this approach I believe you could hack dozens of SSH accounts on Sourceforge within a few hours, without having to employ brute-force.

These keys could then be used in turn to inject backdoors and/or trojans into other OpenSource projects (where at least one developer with write access did use a vulnerable key).

If you were affected by the Debian OpenSSL bug, please replace your SourceForge key as soon as possible. Please verify any commits made on SourceForge until they’ve taken appropriate measures to block bad keys.

SourceForge and other operators of such platforms should install blacklists NOW, and remove any vulnerable keys from their databases.