[PLUG] RedHat/Fedora Crisis
sundaram at fedoraproject.org
Wed Sep 17 14:52:24 PDT 2008
Kaustubh Gadkari wrote:
> On Thu, Sep 11, 2008 at 2:21 AM, Sudhanwa Jogalekar
> <sudhanwa.com at gmail.com> wrote:
>> Forwarded message FYI.
>> Probably people from RH or Fedora can comment on this mail.
> Bruce Perens had a few good comments about the situation and compared
> the way Debian handled their SSH bug vs the way RedHat handled it.
A comparison not is not 1:1. Debian problem is self inflicted. They
patched openssh incorrectly which resulted in a security vulnerability
for themselves and derivatives like Ubuntu. Upstream openssh and other
distributions not related to Debian were not affected. Red Hat is a
publicly traded company whose servers were illegally accessed. Not the
same thing at all. Bruce Perens also clearly got several of his details
wrong as seen is his blog post and it is misleading to say the least.
* Fedora keys were not used to sign the RHEL ssh package.
* Fedora and RHEL gpg keys are different
* We have no evidence of Fedora gpg keys ever been used correctly
* No tampered packages reached either the Fedora repository or RHEL channel
More information about the plug-mail