Infrastructure report, 2008-08-22 UTC 1200
Bill Crawford
billcrawford1970 at gmail.com
Fri Aug 22 15:06:13 UTC 2008
2008/8/22 Michael J Gruber <michaeljgruber+gmane at fastmail.fm>:
> - Fedora's key will be changed, not RHEL's, which has been compromised.
> - High security private keys are best kept in bare metal and used on
> boxes without incoming network. This doesn't seem to apply to the
> package signing keys.
We don't know that the RHEL key has been compromised; perhaps dodgy
packages were fed to a signing mechanism that was not directly
accessible to the attacker (and maybe they detected the intrusion
because someone noticed something fishy about the packages they were
signing?) .... we don't know the full story. Maybe RHEL will have
updated keys distributed via RHN. *shrug*
More information about the fedora-list
mailing list