Infrastructure report, 2008-08-22 UTC 1200
Rahul Sundaram
sundaram at fedoraproject.org
Fri Aug 22 14:52:34 UTC 2008
Alexandre Dulaunoy wrote:
[Not speaking for anyone else except myself here]
>> One of the compromised Fedora servers was a system used for signing
>> Fedora packages. However, based on our efforts, we have high confidence
>> that the intruder was not able to capture the passphrase used to secure
>> the Fedora package signing key.
>
> Sorry but there is information on the redhat.com website is somehow
> contradicting
> the fact that the attacker was not able to capture the passphrase (and
> sign packages) :
The above quote refers to Fedora packages while the website link refers
to RHEL packages. I don't see the contradiction.
> http://www.redhat.com/security/data/openssh-blacklist.html
>
> "In connection with the incident, the intruder was able to sign a
> small number of
> OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and
> x86_64 architectures only)
> and Red Hat Enterprise Linux 5 (x86_64 architecture only)."
>
> For what I know, there is a separation between Red Hat and the Fedora
> Project but if the attacker
> was able to sign packages for Red Hat Enterprise.... Why he was not
> able for Fedora packages (including
> source packages)?
>
> Could you provide us more information about differences in the signing process
> between Fedora and Red Hat? At least to give us some views why we
> should be confident
> in the past and current signed packages.
The keys and systems used for signing packages are different for Fedora,
EPEL and RHEL as the announcement indicates and if someone signed Fedora
packages with RHEL keys, that can be detected easily.
Rahul
More information about the fedora-list
mailing list