On Wed, 23 Sep 2015, Gaudenz Steinlin wrote: > Sage Weil <sage@xxxxxxxxxxxx> writes: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Last week, Red Hat investigated an intrusion on the sites of both the Ceph > > community project (ceph.com) and Inktank (download.inktank.com), which > > were hosted on a computer system outside of Red Hat infrastructure. > > > > Ceph.com provided Ceph community versions downloads signed with a Ceph > > signing key (id 7EBFDD5D17ED316D). Download.inktank.comprovided releases > > of the Red Hat Ceph product for Ubuntu and CentOS operating systems signed > > with an Inktank signing key (id 5438C7019DCEEEAD). While the investigation > > into the intrusion is ongoing, our initial focus was on the integrity of > > the software and distribution channel for both sites. > > > > To date, our investigation has not discovered any compromised code or > > binaries available for download on these sites. However, we cannot fully > > rule out the possibility that some compromised code or binaries were > > available for download at some point in the past. Further, we can no > > longer trust the integrity of the Ceph signing key, and therefore have > > created a new signing key (id E84AC2C0460F3994) for verifying downloads. > > This new key is committed to the ceph.git repository and is > > also available from > > > > https://git.ceph.com/release.asc > > > > The new key should look like: > > > > pub 4096R/460F3994 2015-09-15 > > uid Ceph.com (release key) <security@xxxxxxxx> > > > > All future release git tags will be signed with this new key. > > > > This intrusion did not affect other Ceph sites such as download.ceph.com > > (which contained some older Ceph downloads) or git.ceph.com (which mirrors > > various source repositories), and is not known to have affected any other > > Ceph community infrastructure. There is no evidence that build system or > > the Ceph github source repository were compromised. > > > > New hosts for ceph.com and download.ceph.com have been created and the > > sites have been rebuilt. All content available on download.ceph.com as > > been verified, and all ceph.com URLs for package locations now redirect > > there. There is still some content missing from download.ceph.com that > > will appear later today: source tarballs will be regenerated from git, and > > older release packages are being resigned with the new release key DNS > > changes are still propogating so you may not see the new versions of the > > ceph.com and download.ceph.com sites for another hour or so. > > It would be nice to have a way to verify the integrity of tarballs > downloaded from http://download.ceph.com/tarballs/. Could you please add > individual signatures or an sha256sum file signed with your release key. > This is important for people building from source tarballs and > distribution packagers baseing their packages from tarballs. Debian and > Ubuntu packages are currently built from them. Future releases will have tarball signatures. Alfredo and Andrew are working on the new build/release tooling now. sage -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
