Sudhanwa Jogalekar wrote: > Forwarded message FYI. > > Probably people from RH or Fedora can comment on this mail. > > Regards > -Sudhanwa
Bit of a sensationalistic article. True, there are valid concerns and I will try and address them: There are a number of direct announcements send on this issue sharing a lot of information which you anyone interested might want to go through https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00009.html https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00002.html https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00006.html https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00007.html As noted, * Fedora and RHEL gpg keys are different. Security issues with keys in one doesn't necessarily affect the other. Fedora infrastructure was taken down as soon as intrusion was detected and all the servers rebuild and services restored at this point. Fedora gpg key has been switched to avoid any potential problems. * This is a ongoing investigation and more details will likely be confirmed when the investigation is over and everything is known. * Security through obscurity is a phrase typically used when there are security vulnerabilities in software. I don't think it really applies when servers are illegally accessed. * Both Fedora and Red Hat was affected by this issue. With Red Hat as a publicly trading company, this situation is completely unprecedented and other similar situations for example with couple of different Debian server intrusions or the recent SSH patch issue is not a apples to apples comparison. To answer others questions i saw in ilugd (via archives), http://www.mail-archive.com/[EMAIL PROTECTED]/msg22607.html Fedora members, both Red Hat and volunteers working on infrastructure would be aware of the details. Fedora Board is a majority elected board and non Red Hat volunteers do not sign any NDA's. Others references, I would like to highlight, https://fedoraproject.org/wiki/Board/Meetings/2008-09-09 http://skvidal.wordpress.com/2008/09/09/fedora-security-incident-discussion-at-the-board-meeting-today/ http://www.montanalinux.org/red-hat-fedora-crisis-response.html If anyone else have specific questions, I would be happy to answer to the extend I know of. Feel free to forward this reply as well. Rahul -- ______________________________________________________________________ Pune GNU/Linux Users Group Mailing List: ([email protected]) List Information: http://plug.org.in/cgi-bin/mailman/listinfo/plug-mail Send 'help' to [EMAIL PROTECTED] for mailing instructions.
