Linked by David Adams on Thu 11th Sep 2008 16:11 UTC, submitted by Renai LeMay
Privacy, Security, Encryption The Red Hat-supported Fedora Project has started issuing updates to its Linux distribution again, after a hiatus of several weeks caused by a hacker break-in. Late yesterday, Fedora emailed its users to let them know that it would soon issue updates for its most recent Fedora 8 and 9 operating systems.
Thread beginning with comment 330105
To read all comments associated with this story, please click here.
That sounds like a bad idea.
by Bill Shooter of Bul on Thu 11th Sep 2008 19:36 UTC
Bill Shooter of Bul
Member since:
2006-07-14

From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.

Isn't that a golden opportunity for whoever stole the key to inflict further damage?

Plus, all Malory needs to do is intercept the new key and replace it with his own and use it to sign malicious updates with it.

If I'm missing some key detail that makes all of the above mute please let me know.

Reply Score: 1

Finalzone Member since:
2005-07-06

From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.

Isn't that a golden opportunity for whoever stole the key to inflict further damage?


That compromised key is useless given the fact Fedora infrastructure already generated a new version. That cracker would have to pretend to be fedora-announce-list but that will put him/her on criminal action.
https://www.redhat.com/archives/fedora-announce-list/2008-September/...

Reply Parent Score: 3

Bill Shooter of Bul Member since:
2006-07-14

I'm not familiar with the update process in fedora, but if its not done over ssl, they could man in the middle and replace the good packages signed with the old key with bad packages signed with the old key.

Reply Parent Score: 2

Lennie Member since:
2007-09-22

Pretending to be someone else by email isn't really all that complicated. Actually it is really easy.

Reply Parent Score: 1

Rahul Member since:
2005-07-06

The project does not believe that the keys are compromised. Neverthless, it is being changed as a precautionary measure. The couple of transitionary packages are still signed with the old key since Fedora does not allow unsigned packages by default and then everything from then onwards will use the new key.

Reply Parent Score: 3

buff Member since:
2005-11-12

If I'm missing some key detail that makes all of the above mute please let me know.

I think you meant to say moot. For a second there I was confused and thought you were telling your details to quiet down. ;-)

Reply Parent Score: 2