non-disclosure of infrastructure problem a management issue?

David dgboles at gmail.com
Fri Aug 22 16:40:13 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anne Wilson wrote:
> On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote:
>> Just guessing,
>>
>> This smells like a hacker was detected or a hack was discovered.
>> As readers of this list will note the historic resolution for a
>> hacked system has been to do a full reload which takes time.
>>
>> Ssh key management may also be at issue given the key generation flaw known
>> as the Debian SSH key attacks.   In some cases a key can be recovered in
>> 20 min...  In this case the issue might be poor keys generated outside
>> of RH and not a flaw in RH process or tools.
>>
>> If it had been a blown disk farm we would have more info already.
>>
>> The more I read about the SSH key attacks the more convinced
>> I am that there is a need to update my set of keys for me and my systems.
>>
>> In time they will tell.
>
> Today's announcement is pretty clear.  There was an intrusion, and it affected
> the server which signs packages, hence the warning to hold off until tests
> had been done.  All the evidence is that the key passphrase was not
> successfully hacked, so it's unlikely that we have any corrupt packages if we
> only accept signed ones.  New signatures are to play safe, and it is now safe
> to resume normal working practices.
>
> I still think that the very low-volume announce list is essential for all
> Fedora users.


At the very least it should be suggested, recommended, or maybe an
'auto signup' when signing up for any other of the 'public type' lists.
For them, the newer users, because it is important. Those of us with
experience know, or should know, enough to do that.

It is very low volume list so even those with 'limits' should see the
value. Perhaps an 'opt-out' to avoid the 'you are forcing me' whines but
then the 'I didn't know' whines should stop because of the 'opt-out'.
Those that opt-out, and whine, should be ignored.  ;-)

- --


  David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkiu6+0ACgkQAO0wNI1X4QGKOQCgsmU7E9k59W2oE2GGMlFIJeZV
yH0AmQH2R9cQj22OUGgRfbw7J9D+Hd69
=AQyj
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list