The Fedora Infrastructure team is currently investigating an issue in the infrastructure systems. That process may result in service outages, for which we apologize in advance. We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems.
We'll share updates as we develop more information. Those updates will be published here on the public fedora-announce-list: https://redhat.com/mailman/listinfo/fedora-announce-list
Thanks for your patience as we continue working on this.
Uh oh. This sounds very much like there's been a security breach on infrastructure systems, which may have compromised packages or even repositories.
I've disabled automatic installation of updates for the moment; I'm sure what else we can do.
Danny.
Paul W. Frields wrote:
The Fedora Infrastructure team is currently investigating an issue in the infrastructure systems. That process may result in service outages, for which we apologize in advance. We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems.
We'll share updates as we develop more information. Those updates will be published here on the public fedora-announce-list: https://redhat.com/mailman/listinfo/fedora-announce-list
Thanks for your patience as we continue working on this.
-- Paul W. Frields gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://paul.frields.org/ - - http://pfrields.fedorapeople.org/ irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug
-- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Dnia 2008-08-15, o godz. 13:35:46 Danny Yee danny@anatomy.usyd.edu.au napisał(a):
Uh oh. This sounds very much like there's been a security breach on infrastructure systems, which may have compromised packages or even repositories.
I've disabled automatic installation of updates for the moment; I'm sure what else we can do.
Actually, I think thousands of users are downloading at least the metadata because there was no clear way of disabling PackageKit on update. And the metadata, in theory, can exploit a bug in yum, all out of sight of users.
That's what you get when you force users to download things in the background for them. Told ya!
Lam
On Fri, 2008-08-15 at 08:03 +0200, Leszek Matok wrote:
Actually, I think thousands of users are downloading at least the metadata because there was no clear way of disabling PackageKit on update. And the metadata, in theory, can exploit a bug in yum, all out of sight of users.
Nice speculation, but I would rather wait for hard facts.
That's what you get when you force users to download things in the background for them. Told ya!
Apple and Microsoft both do the same. Unless we download and install security updates automatically then we are not a serious contender for the home market.
PackageKit will only allow automatic updates of signed packages. If we're pumping out invalid signed updates then, well, meh.
Richard.
Richard Hughes wrote:
PackageKit will only allow automatic updates of signed packages. If we're pumping out invalid signed updates then, well, meh.
The implication of the announcement is that signed updates may be compromised (or possibly even the key). How else can we read this?
"as a precaution, we recommend you not download or update any additional packages on your Fedora systems"
Danny.
"DY" == Danny Yee danny@anatomy.usyd.edu.au writes:
DY> Richard Hughes wrote:
PackageKit will only allow automatic updates of signed packages. If we're pumping out invalid signed updates then, well, meh.
DY> How else can we read this?
You can read that as people being tremendously cautious in the face of a situation whose details are not completely known.
(And please not that I don't know what is going on either.)
- J<
On Fri, Aug 15, 2008 at 6:57 AM, Danny Yee danny@anatomy.usyd.edu.au wrote:
Richard Hughes wrote:
PackageKit will only allow automatic updates of signed packages. If we're pumping out invalid signed updates then, well, meh.
The implication of the announcement is that signed updates may be compromised (or possibly even the key). How else can we read this?
"as a precaution, we recommend you not download or update any additional packages on your Fedora systems"Danny.
It could also be that the build system got a bad compiler installed (or a compiler got corrupted) and the signed builds have had errors in them. Not a security breach, but something that would cause problems. Trying to find out where, which servers were affected, and how that happened would be just as labor intensive.
Or it could be that NFS has been banging bits before the package gets signed... or there was a zombie outbreak in PHX and they are chewing on the wires...
Richard Hughes wrote:
On Fri, 2008-08-15 at 08:03 +0200, Leszek Matok wrote:
Actually, I think thousands of users are downloading at least the metadata because there was no clear way of disabling PackageKit on update. And the metadata, in theory, can exploit a bug in yum, all out of sight of users.
Nice speculation, but I would rather wait for hard facts.
That's what you get when you force users to download things in the background for them. Told ya!
Apple and Microsoft both do the same. Unless we download and install security updates automatically then we are not a serious contender for the home market.
Ummm, does OS X really force updates if I uncheck the boxes that say 'Check for updates (frequency drop-down)' and 'Download important updates automatically'?
Ummm, does OS X really force updates if I uncheck the boxes that say 'Check for updates (frequency drop-down)' and 'Download important updates automatically'?
From what I can tell, neither does Fedora.
I have packagekit set up to tell me when new updates are available, and the notification works.
I REALLY get the impression that someone is forcing you to use fedora against your wishes. :s
-
Danny Yee -
Jason L Tibbitts III -
Les Mikesell -
Leszek Matok -
Naheem Zaffar -
Paul W. Frields -
Richard Hughes -
Stephen John Smoogen