Infrastructure status, 2008-08-19 UTC 0200
Björn Persson
bjorn at xn--rombobjrn-67a.se
Fri Aug 22 22:38:15 UTC 2008
Anne Wilson wrote:
> On Friday 22 August 2008 17:48:22 Tom Killian wrote:
> > >One of the compromised Fedora servers was a system used for signing
> > >Fedora packages. However, based on our efforts, we have high confidence
> > >that the intruder was not able to capture the passphrase used to secure
> > >the Fedora package signing key. Based on our review to date, the
> > >passphrase was not used during the time of the intrusion on the system
> > >and the passphrase is not stored on any of the Fedora servers.
> >
> > Hmm, sounds like the passphrase is safe, but the passphrase-encrypted
> > private key is in the hands of the bad guys, a good reason to revoke
> > the key.
>
> That is not at all what was said. The 'bad guy' intruded into the system.
> At no time did he use the passphrase - as has been verified. I can think
> of no reason for him not to do so if he had got the private key. The FUD
> on this list is unbelievable.
Tom is right. What the announcement says is that we must assume that the
intruder has the key but he probably can't use it. The key is encrypted with
a passphrase and the intruder had no way of finding out the passphrase. The
key therefore needs to be changed but there's no need to panic.
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080823/c3c1de9a/attachment-0001.sig>
More information about the fedora-list
mailing list