Re: Infrastructure report, 2008-08-22 UTC 1200

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 22, 2008 at 2:00 PM, Paul W. Frields <stickster@xxxxxxxxx> wrote:


> One of the compromised Fedora servers was a system used for signing
> Fedora packages. However, based on our efforts, we have high confidence
> that the intruder was not able to capture the passphrase used to secure
> the Fedora package signing key.

Sorry but there is information on the redhat.com website is somehow
contradicting
the fact that the attacker was not able to capture the passphrase (and
sign packages) :

http://www.redhat.com/security/data/openssh-blacklist.html

"In connection with the incident, the intruder was able to sign a
small number of
OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and
x86_64 architectures only)
and Red Hat Enterprise Linux 5 (x86_64 architecture only)."

For what I know, there is a separation between Red Hat and the Fedora
Project but if the attacker
was able to sign packages for Red Hat Enterprise.... Why he was not
able for Fedora packages (including
source packages)?

Could you provide us more information about differences in the signing process
between Fedora and Red Hat? At least to give us some views why we
should be confident
in the past and current signed packages.

Thanks a lot,

adulau

-- 
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://www.foo.be/cgi-bin/wiki.pl/Diary
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux