Alexandre Dulaunoy venit, vidit, dixit 22.08.2008 16:33: > On Fri, Aug 22, 2008 at 2:00 PM, Paul W. Frields <stickster@xxxxxxxxx> wrote: > > >> One of the compromised Fedora servers was a system used for signing >> Fedora packages. However, based on our efforts, we have high confidence >> that the intruder was not able to capture the passphrase used to secure >> the Fedora package signing key. > > Sorry but there is information on the redhat.com website is somehow > contradicting > the fact that the attacker was not able to capture the passphrase (and > sign packages) : > > http://www.redhat.com/security/data/openssh-blacklist.html > > "In connection with the incident, the intruder was able to sign a > small number of > OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and > x86_64 architectures only) > and Red Hat Enterprise Linux 5 (x86_64 architecture only)." > > For what I know, there is a separation between Red Hat and the Fedora > Project but if the attacker > was able to sign packages for Red Hat Enterprise.... Why he was not > able for Fedora packages (including > source packages)? > > Could you provide us more information about differences in the signing process > between Fedora and Red Hat? At least to give us some views why we > should be confident > in the past and current signed packages. > > Thanks a lot, > > adulau As Paul pointed out, the keys are different, and the Fedora key was not in use (no passphrase typed in) during the critical time frame. Funny thing is: - Fedora's key will be changed, not RHEL's, which has been compromised. - High security private keys are best kept in bare metal and used on boxes without incoming network. This doesn't seem to apply to the package signing keys. Michael -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
