On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote: > Just guessing, > > This smells like a hacker was detected or a hack was discovered. > As readers of this list will note the historic resolution for a > hacked system has been to do a full reload which takes time. > > Ssh key management may also be at issue given the key generation flaw known > as the Debian SSH key attacks. In some cases a key can be recovered in > 20 min... In this case the issue might be poor keys generated outside > of RH and not a flaw in RH process or tools. > > If it had been a blown disk farm we would have more info already. > > The more I read about the SSH key attacks the more convinced > I am that there is a need to update my set of keys for me and my systems. > > In time they will tell. Today's announcement is pretty clear. There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. All the evidence is that the key passphrase was not successfully hacked, so it's unlikely that we have any corrupt packages if we only accept signed ones. New signatures are to play safe, and it is now safe to resume normal working practices. I still think that the very low-volume announce list is essential for all Fedora users. Anne
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
