-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anne Wilson wrote: > On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote: >> Just guessing, >> >> This smells like a hacker was detected or a hack was discovered. >> As readers of this list will note the historic resolution for a >> hacked system has been to do a full reload which takes time. >> >> Ssh key management may also be at issue given the key generation flaw known >> as the Debian SSH key attacks. In some cases a key can be recovered in >> 20 min... In this case the issue might be poor keys generated outside >> of RH and not a flaw in RH process or tools. >> >> If it had been a blown disk farm we would have more info already. >> >> The more I read about the SSH key attacks the more convinced >> I am that there is a need to update my set of keys for me and my systems. >> >> In time they will tell. > > Today's announcement is pretty clear. There was an intrusion, and it affected > the server which signs packages, hence the warning to hold off until tests > had been done. All the evidence is that the key passphrase was not > successfully hacked, so it's unlikely that we have any corrupt packages if we > only accept signed ones. New signatures are to play safe, and it is now safe > to resume normal working practices. > > I still think that the very low-volume announce list is essential for all > Fedora users. At the very least it should be suggested, recommended, or maybe an 'auto signup' when signing up for any other of the 'public type' lists. For them, the newer users, because it is important. Those of us with experience know, or should know, enough to do that. It is very low volume list so even those with 'limits' should see the value. Perhaps an 'opt-out' to avoid the 'you are forcing me' whines but then the 'I didn't know' whines should stop because of the 'opt-out'. Those that opt-out, and whine, should be ignored. ;-) - -- David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiu6+0ACgkQAO0wNI1X4QGKOQCgsmU7E9k59W2oE2GGMlFIJeZV yH0AmQH2R9cQj22OUGgRfbw7J9D+Hd69 =AQyj -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list