Alexandre Dulaunoy wrote:
[Not speaking for anyone else except myself here]
One of the compromised Fedora servers was a system used for signing
Fedora packages. However, based on our efforts, we have high confidence
that the intruder was not able to capture the passphrase used to secure
the Fedora package signing key.
Sorry but there is information on the redhat.com website is somehow
contradicting
the fact that the attacker was not able to capture the passphrase (and
sign packages) :
The above quote refers to Fedora packages while the website link refers
to RHEL packages. I don't see the contradiction.
http://www.redhat.com/security/data/openssh-blacklist.html
"In connection with the incident, the intruder was able to sign a
small number of
OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and
x86_64 architectures only)
and Red Hat Enterprise Linux 5 (x86_64 architecture only)."
For what I know, there is a separation between Red Hat and the Fedora
Project but if the attacker
was able to sign packages for Red Hat Enterprise.... Why he was not
able for Fedora packages (including
source packages)?
Could you provide us more information about differences in the signing process
between Fedora and Red Hat? At least to give us some views why we
should be confident
in the past and current signed packages.
The keys and systems used for signing packages are different for Fedora,
EPEL and RHEL as the announcement indicates and if someone signed Fedora
packages with RHEL keys, that can be detected easily.
Rahul
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list