Re: Infrastructure report, 2008-08-22 UTC 1200

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 22, 2008 at 2:00 PM, Paul W. Frields <stickster@xxxxxxxxx> wrote:


> One of the compromised Fedora servers was a system used for signing
> Fedora packages. However, based on our efforts, we have high confidence
> that the intruder was not able to capture the passphrase used to secure
> the Fedora package signing key.

Sorry but there is information on the redhat.com website is somehow
contradicting
the fact that the attacker was not able to capture the passphrase (and
sign packages) :

http://www.redhat.com/security/data/openssh-blacklist.html

"In connection with the incident, the intruder was able to sign a
small number of
OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and
x86_64 architectures only)
and Red Hat Enterprise Linux 5 (x86_64 architecture only)."

For what I know, there is a separation between Red Hat and the Fedora
Project but if the attacker
was able to sign packages for Red Hat Enterprise.... Why he was not
able for Fedora packages (including
source packages)?

Could you provide us more information about differences in the signing process
between Fedora and Red Hat? At least to give us some views why we
should be confident
in the past and current signed packages.

Thanks a lot,

adulau

-- 
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://www.foo.be/cgi-bin/wiki.pl/Diary
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux