[PLUG] RedHat/Fedora Crisis
sriramnrn at gmail.com
Wed Sep 17 22:42:22 PDT 2008
On Thu, Sep 18, 2008 at 3:22 AM, Rahul Sundaram
<sundaram at fedoraproject.org> wrote:
> A comparison not is not 1:1. Debian problem is self inflicted. They
> patched openssh incorrectly which resulted in a security vulnerability
> for themselves and derivatives like Ubuntu. Upstream openssh and other
> distributions not related to Debian were not affected. Red Hat is a
> publicly traded company whose servers were illegally accessed. Not the
> same thing at all. Bruce Perens also clearly got several of his details
> wrong as seen is his blog post and it is misleading to say the least.
> * Fedora keys were not used to sign the RHEL ssh package.
> * Fedora and RHEL gpg keys are different
> * We have no evidence of Fedora gpg keys ever been used correctly
> * No tampered packages reached either the Fedora repository or RHEL channel
Thanks for this information. This has not really been publicised well before.
I am going to believe each and every statement of yours which you have
made on this thread.
I visited the fedoraproject.org site just now. I don't any any mention
of any security issue there at all. If there is some link on this
matter at the fedora site, please post that link here.
More information about the plug-mail