[PLUG] Fwd: [ILUG-GOA] RedHat/Fedora Crisis - is Red Hat playing Microsoft-like games?
Rahul Sundaram
sundaram at fedoraproject.org
Fri Sep 12 09:41:01 IST 2008
Sudhanwa Jogalekar wrote:
> Forwarded message FYI.
>
> Probably people from RH or Fedora can comment on this mail.
>
> Regards
> -Sudhanwa
Bit of a sensationalistic article. True, there are valid concerns and I
will try and address them:
There are a number of direct announcements send on this issue sharing a
lot of information which you anyone interested might want to go through
https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html
https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00009.html
https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00002.html
https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00006.html
https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00007.html
As noted,
* Fedora and RHEL gpg keys are different. Security issues with keys in
one doesn't necessarily affect the other. Fedora infrastructure was
taken down as soon as intrusion was detected and all the servers rebuild
and services restored at this point. Fedora gpg key has been switched to
avoid any potential problems.
* This is a ongoing investigation and more details will likely be
confirmed when the investigation is over and everything is known.
* Security through obscurity is a phrase typically used when there are
security vulnerabilities in software. I don't think it really applies
when servers are illegally accessed.
* Both Fedora and Red Hat was affected by this issue. With Red Hat as a
publicly trading company, this situation is completely unprecedented and
other similar situations for example with couple of different Debian
server intrusions or the recent SSH patch issue is not a apples to
apples comparison.
To answer others questions i saw in ilugd (via archives),
http://www.mail-archive.com/ilugd@lists.linux-delhi.org/msg22607.html
Fedora members, both Red Hat and volunteers working on infrastructure
would be aware of the details. Fedora Board is a majority elected board
and non Red Hat volunteers do not sign any NDA's.
Others references, I would like to highlight,
https://fedoraproject.org/wiki/Board/Meetings/2008-09-09
http://skvidal.wordpress.com/2008/09/09/fedora-security-incident-discussion-at-the-board-meeting-today/
http://www.montanalinux.org/red-hat-fedora-crisis-response.html
If anyone else have specific questions, I would be happy to answer to
the extend I know of. Feel free to forward this reply as well.
Rahul
More information about the Plug-mail
mailing list