On Fri, Aug 22, 2008 at 2:00 PM, Paul W. Frields <stickster@xxxxxxxxx> wrote: > One of the compromised Fedora servers was a system used for signing > Fedora packages. However, based on our efforts, we have high confidence > that the intruder was not able to capture the passphrase used to secure > the Fedora package signing key. Sorry but there is information on the redhat.com website is somehow contradicting the fact that the attacker was not able to capture the passphrase (and sign packages) : http://www.redhat.com/security/data/openssh-blacklist.html "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)." For what I know, there is a separation between Red Hat and the Fedora Project but if the attacker was able to sign packages for Red Hat Enterprise.... Why he was not able for Fedora packages (including source packages)? Could you provide us more information about differences in the signing process between Fedora and Red Hat? At least to give us some views why we should be confident in the past and current signed packages. Thanks a lot, adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://www.foo.be/cgi-bin/wiki.pl/Diary -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
