Re: non-disclosure of infrastructure problem a management issue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote:
> Just guessing,
>
> This smells like a hacker was detected or a hack was discovered.
> As readers of this list will note the historic resolution for a
> hacked system has been to do a full reload which takes time.
>
> Ssh key management may also be at issue given the key generation flaw known
> as the Debian SSH key attacks.   In some cases a key can be recovered in
> 20 min...  In this case the issue might be poor keys generated outside
> of RH and not a flaw in RH process or tools.
>
> If it had been a blown disk farm we would have more info already.
>
> The more I read about the SSH key attacks the more convinced
> I am that there is a need to update my set of keys for me and my systems.  
>
> In time they will tell.

Today's announcement is pretty clear.  There was an intrusion, and it affected 
the server which signs packages, hence the warning to hold off until tests 
had been done.  All the evidence is that the key passphrase was not 
successfully hacked, so it's unlikely that we have any corrupt packages if we 
only accept signed ones.  New signatures are to play safe, and it is now safe 
to resume normal working practices.

I still think that the very low-volume announce list is essential for all 
Fedora users.

Anne

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux