Secrecy and user trust

[John Aldrich]

Quoting Bill Davidsen <davidsen at tmr.com>:
>
> As noted, the detail I would have liked was to know if this was a
> failure of system security or a failure of misplaced trust. If there is
> a hole in their server system security it's likely to be in ours as
> well.
>
> And if someone could say with certainty that packages downloaded before
> {date} were safe, it would be more reassuring than "there is little
> risk to Fedora users who wish to install or upgrade signed Fedora
> packages." If the start date of the problem is known, that would be
> really good information for people who keep a local repository and
> don't have to upgrade every new install totally over the network.
>
Well, I know someone on this list said I should feel safe in upgrading  
my F6 box to F9. I don't know if that answers your questions or not.  
That being said, I think I'll wait until F10 or until fresh ISO images  
come out. Despite the fact that my only installation is a single,  
personal box, I don't want to risk getting hacked because someone  
*may* have gotten some bogus packages into the system and/or  
compromised the signing key for Fedora.

Unless/until someone from Fedora says "It is safe to install Fedora 9  
from the original ISO images distributed when F9 was released" I am  
not going to trust that they are safe.