[PLUG] RedHat/Fedora Crisis
Sriram Narayanan
sriramnrn at gmail.com
Thu Sep 18 11:12:22 IST 2008
On Thu, Sep 18, 2008 at 3:22 AM, Rahul Sundaram
<sundaram at fedoraproject.org> wrote:
>
> A comparison not is not 1:1. Debian problem is self inflicted. They
> patched openssh incorrectly which resulted in a security vulnerability
> for themselves and derivatives like Ubuntu. Upstream openssh and other
> distributions not related to Debian were not affected. Red Hat is a
> publicly traded company whose servers were illegally accessed. Not the
> same thing at all. Bruce Perens also clearly got several of his details
> wrong as seen is his blog post and it is misleading to say the least.
>
> http://blog.perens.com/d/2008/9/11/49268
>
> * Fedora keys were not used to sign the RHEL ssh package.
> * Fedora and RHEL gpg keys are different
> * We have no evidence of Fedora gpg keys ever been used correctly
> * No tampered packages reached either the Fedora repository or RHEL channel
Thanks for this information. This has not really been publicised well before.
I am going to believe each and every statement of yours which you have
made on this thread.
I visited the fedoraproject.org site just now. I don't any any mention
of any security issue there at all. If there is some link on this
matter at the fedora site, please post that link here.
-- Sriram
More information about the Plug-mail
mailing list