Am Sat, 23 Aug 2008 16:16:55 +0200 schrieb Roger Grosswiler <roger@xxxxxxxx>: > Am Sat, 23 Aug 2008 00:38:15 +0200 > schrieb Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx>: > > > Anne Wilson wrote: > > > On Friday 22 August 2008 17:48:22 Tom Killian wrote: > > > > >One of the compromised Fedora servers was a system used for > > > > >signing Fedora packages. However, based on our efforts, we have > > > > >high confidence that the intruder was not able to capture the > > > > >passphrase used to secure the Fedora package signing key. Based > > > > >on our review to date, the passphrase was not used during the > > > > >time of the intrusion on the system and the passphrase is not > > > > >stored on any of the Fedora servers. > > > > > > > > Hmm, sounds like the passphrase is safe, but the > > > > passphrase-encrypted private key is in the hands of the bad > > > > guys, a good reason to revoke the key. > > > > > > That is not at all what was said. The 'bad guy' intruded into the > > > system. At no time did he use the passphrase - as has been > > > verified. I can think of no reason for him not to do so if he had > > > got the private key. The FUD on this list is unbelievable. > > > > Tom is right. What the announcement says is that we must assume that > > the intruder has the key but he probably can't use it. The key is > > encrypted with a passphrase and the intruder had no way of finding > > out the passphrase. The key therefore needs to be changed but > > there's no need to panic. > > > > Björn Persson > > ok, but is it also on fedora, with openssh-issue? Or how could we now > find out, if our systems are compromised too? > > Roger > ah yes, and do we also expect, that packages to new install do have that problem too? I mean, i would like to try kde, but am not sure to get compromised packages there... Roger -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
