Anne Wilson wrote: > On Friday 22 August 2008 17:48:22 Tom Killian wrote: > > >One of the compromised Fedora servers was a system used for signing > > >Fedora packages. However, based on our efforts, we have high confidence > > >that the intruder was not able to capture the passphrase used to secure > > >the Fedora package signing key. Based on our review to date, the > > >passphrase was not used during the time of the intrusion on the system > > >and the passphrase is not stored on any of the Fedora servers. > > > > Hmm, sounds like the passphrase is safe, but the passphrase-encrypted > > private key is in the hands of the bad guys, a good reason to revoke > > the key. > > That is not at all what was said. The 'bad guy' intruded into the system. > At no time did he use the passphrase - as has been verified. I can think > of no reason for him not to do so if he had got the private key. The FUD > on this list is unbelievable. Tom is right. What the announcement says is that we must assume that the intruder has the key but he probably can't use it. The key is encrypted with a passphrase and the intruder had no way of finding out the passphrase. The key therefore needs to be changed but there's no need to panic. Björn Persson
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
