Linked by David Adams on Thu 11th Sep 2008 16:11 UTC, submitted by Renai LeMay
The Red Hat-supported Fedora Project has started issuing updates to its Linux distribution again, after a hiatus of several weeks caused by a hacker break-in. Late yesterday, Fedora emailed its users to let them know that it would soon issue updates for its most recent Fedora 8 and 9 operating systems.
Thread beginning with comment 330105
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
RE: That sounds like a bad idea.
by Finalzone on Thu 11th Sep 2008 19:54
in reply to "That sounds like a bad idea. "
Member since:2005-07-06
From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.
Isn't that a golden opportunity for whoever stole the key to inflict further damage?
Isn't that a golden opportunity for whoever stole the key to inflict further damage?
That compromised key is useless given the fact Fedora infrastructure already generated a new version. That cracker would have to pretend to be fedora-announce-list but that will put him/her on criminal action.
https://www.redhat.com/archives/fedora-announce-list/2008-September/...
RE[2]: That sounds like a bad idea.
by Bill Shooter of Bul on Thu 11th Sep 2008 21:06
in reply to "RE: That sounds like a bad idea. "
Member since:2006-07-14
RE[2]: That sounds like a bad idea.
by Lennie on Fri 12th Sep 2008 19:10
in reply to "RE: That sounds like a bad idea. "
Member since:2007-09-22
RE: That sounds like a bad idea.
by Rahul on Thu 11th Sep 2008 19:54
in reply to "That sounds like a bad idea. "
Member since:2005-07-06
The project does not believe that the keys are compromised. Neverthless, it is being changed as a precautionary measure. The couple of transitionary packages are still signed with the old key since Fedora does not allow unsigned packages by default and then everything from then onwards will use the new key.
RE: That sounds like a bad idea.
by buff on Thu 11th Sep 2008 22:35
in reply to "That sounds like a bad idea. "
Member since:2005-11-12
Member since:
2006-07-14
From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.
Isn't that a golden opportunity for whoever stole the key to inflict further damage?
Plus, all Malory needs to do is intercept the new key and replace it with his own and use it to sign malicious updates with it.
If I'm missing some key detail that makes all of the above mute please let me know.