[PLUG] RedHat/Fedora Crisis

Rahul Sundaram sundaram at fedoraproject.org
Wed Sep 17 14:52:24 PDT 2008


Kaustubh Gadkari wrote:
> On Thu, Sep 11, 2008 at 2:21 AM, Sudhanwa Jogalekar
> <sudhanwa.com at gmail.com> wrote:
>> Forwarded message FYI.
>>
>> Probably people from RH or Fedora can comment on this mail.
> 
> Bruce Perens had a few good comments about the situation and compared
> the way Debian handled their SSH bug vs the way RedHat handled it.
> 
> http://linux.slashdot.org/article.pl?sid=08/09/10/029231

A comparison not is not 1:1. Debian problem is self inflicted. They 
patched openssh incorrectly which resulted in a security vulnerability 
for themselves and derivatives like Ubuntu. Upstream openssh and other 
distributions not related to Debian were not affected.  Red Hat is a 
publicly traded company whose servers were illegally accessed. Not the 
same thing at all.  Bruce Perens also clearly got several of his details 
wrong as seen is his blog post and it is misleading to say the least.

http://blog.perens.com/d/2008/9/11/49268

* Fedora keys were not used to sign the RHEL ssh package.
* Fedora and RHEL gpg keys are different
* We have no evidence of Fedora gpg keys ever been used correctly
* No tampered packages reached either the Fedora repository or RHEL channel

Rahul



More information about the plug-mail mailing list