Re: non-disclosure of infrastructure problem a management issue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anne Wilson wrote:
> On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote:
>> Just guessing,
>>
>> This smells like a hacker was detected or a hack was discovered.
>> As readers of this list will note the historic resolution for a
>> hacked system has been to do a full reload which takes time.
>>
>> Ssh key management may also be at issue given the key generation flaw known
>> as the Debian SSH key attacks.   In some cases a key can be recovered in
>> 20 min...  In this case the issue might be poor keys generated outside
>> of RH and not a flaw in RH process or tools.
>>
>> If it had been a blown disk farm we would have more info already.
>>
>> The more I read about the SSH key attacks the more convinced
>> I am that there is a need to update my set of keys for me and my systems.
>>
>> In time they will tell.
>
> Today's announcement is pretty clear.  There was an intrusion, and it affected
> the server which signs packages, hence the warning to hold off until tests
> had been done.  All the evidence is that the key passphrase was not
> successfully hacked, so it's unlikely that we have any corrupt packages if we
> only accept signed ones.  New signatures are to play safe, and it is now safe
> to resume normal working practices.
>
> I still think that the very low-volume announce list is essential for all
> Fedora users.


At the very least it should be suggested, recommended, or maybe an
'auto signup' when signing up for any other of the 'public type' lists.
For them, the newer users, because it is important. Those of us with
experience know, or should know, enough to do that.

It is very low volume list so even those with 'limits' should see the
value. Perhaps an 'opt-out' to avoid the 'you are forcing me' whines but
then the 'I didn't know' whines should stop because of the 'opt-out'.
Those that opt-out, and whine, should be ignored.  ;-)

- --


  David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkiu6+0ACgkQAO0wNI1X4QGKOQCgsmU7E9k59W2oE2GGMlFIJeZV
yH0AmQH2R9cQj22OUGgRfbw7J9D+Hd69
=AQyj
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux