Infrastructure status, 2008-08-19 UTC 0200
Roger Grosswiler
roger at gwch.net
Sat Aug 23 14:29:08 UTC 2008
Am Sat, 23 Aug 2008 16:16:55 +0200
schrieb Roger Grosswiler <roger at gwch.net>:
> Am Sat, 23 Aug 2008 00:38:15 +0200
> schrieb Björn Persson <bjorn at xn--rombobjrn-67a.se>:
>
> > Anne Wilson wrote:
> > > On Friday 22 August 2008 17:48:22 Tom Killian wrote:
> > > > >One of the compromised Fedora servers was a system used for
> > > > >signing Fedora packages. However, based on our efforts, we have
> > > > >high confidence that the intruder was not able to capture the
> > > > >passphrase used to secure the Fedora package signing key. Based
> > > > >on our review to date, the passphrase was not used during the
> > > > >time of the intrusion on the system and the passphrase is not
> > > > >stored on any of the Fedora servers.
> > > >
> > > > Hmm, sounds like the passphrase is safe, but the
> > > > passphrase-encrypted private key is in the hands of the bad
> > > > guys, a good reason to revoke the key.
> > >
> > > That is not at all what was said. The 'bad guy' intruded into the
> > > system. At no time did he use the passphrase - as has been
> > > verified. I can think of no reason for him not to do so if he had
> > > got the private key. The FUD on this list is unbelievable.
> >
> > Tom is right. What the announcement says is that we must assume that
> > the intruder has the key but he probably can't use it. The key is
> > encrypted with a passphrase and the intruder had no way of finding
> > out the passphrase. The key therefore needs to be changed but
> > there's no need to panic.
> >
> > Björn Persson
>
> ok, but is it also on fedora, with openssh-issue? Or how could we now
> find out, if our systems are compromised too?
>
> Roger
>
ah yes, and do we also expect, that packages to new install do have
that problem too?
I mean, i would like to try kde, but am not sure to get compromised
packages there...
Roger
More information about the fedora-list
mailing list