[PLUG] RedHat/Fedora Crisis

Sriram Narayanan sriramnrn at gmail.com
Wed Sep 17 22:42:22 PDT 2008


On Thu, Sep 18, 2008 at 3:22 AM, Rahul Sundaram
<sundaram at fedoraproject.org> wrote:
>
> A comparison not is not 1:1. Debian problem is self inflicted. They
> patched openssh incorrectly which resulted in a security vulnerability
> for themselves and derivatives like Ubuntu. Upstream openssh and other
> distributions not related to Debian were not affected.  Red Hat is a
> publicly traded company whose servers were illegally accessed. Not the
> same thing at all.  Bruce Perens also clearly got several of his details
> wrong as seen is his blog post and it is misleading to say the least.
>
> http://blog.perens.com/d/2008/9/11/49268
>
> * Fedora keys were not used to sign the RHEL ssh package.
> * Fedora and RHEL gpg keys are different
> * We have no evidence of Fedora gpg keys ever been used correctly
> * No tampered packages reached either the Fedora repository or RHEL channel

Thanks for this information. This has not really been publicised well before.

I am going to believe each and every statement of yours which you have
made on this thread.

I visited the fedoraproject.org site just now. I don't any any mention
of any security issue there at all. If there is some link on this
matter at the fedora site, please post that link here.

-- Sriram



More information about the plug-mail mailing list