[PLUG] Fwd: [ILUG-GOA] RedHat/Fedora Crisis - is Red Hat playing Microsoft-like games?

Rahul Sundaram sundaram at fedoraproject.org
Thu Sep 11 21:11:01 PDT 2008


Sudhanwa Jogalekar wrote:
> Forwarded message FYI.
> 
> Probably people from RH or Fedora can comment on this mail.
> 
> Regards
> -Sudhanwa

Bit of a sensationalistic article. True, there are valid concerns and I 
will try and address them:

There are a number of direct announcements send on this issue sharing a 
lot of information which you anyone interested might want to go through

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html
https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00009.html
https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00002.html
https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00006.html
https://www.redhat.com/archives/fedora-announce-list/2008-September/msg00007.html

As noted,

* Fedora and RHEL gpg keys are different. Security issues with keys in 
one doesn't necessarily affect the other.  Fedora infrastructure was 
taken down as soon as intrusion was detected and all the servers rebuild 
and services restored at this point. Fedora gpg key has been switched to 
avoid any potential problems.

* This is a ongoing investigation and more details will likely be 
confirmed when the investigation is over and everything is known.

* Security through obscurity is a phrase typically used when there are 
security vulnerabilities in software. I don't think it really applies 
when servers are illegally accessed.

* Both Fedora and Red Hat was affected by this issue. With Red Hat as a 
publicly trading company, this situation is completely unprecedented and 
other similar situations for example with couple of different Debian 
server intrusions or the recent SSH patch issue is not a apples to 
apples comparison.

To answer others questions i saw in ilugd (via archives),

http://www.mail-archive.com/ilugd@lists.linux-delhi.org/msg22607.html

Fedora members, both Red Hat and volunteers working on infrastructure 
would be aware of the details. Fedora Board is a majority elected board 
and non Red Hat volunteers do not sign any NDA's.

Others references, I would like to highlight,

https://fedoraproject.org/wiki/Board/Meetings/2008-09-09
http://skvidal.wordpress.com/2008/09/09/fedora-security-incident-discussion-at-the-board-meeting-today/
http://www.montanalinux.org/red-hat-fedora-crisis-response.html

If anyone else have specific questions, I would be happy to answer to 
the extend I know of. Feel free to forward this reply as well.

Rahul





More information about the plug-mail mailing list