3:13 p.m.
hey all...
not sure if this is the appropriate spot to share or not, but was the
closest I could find "security @ fedora"....
while working on a project, I searched for "Fedora" ami images in the
new-ish AWS region us-east-2 ("ohio"), and was pleasantly surprised to find
the easily discoverable and recognizable ami "Fedora release 26
(ami-f3a18096)" (as well as a a "Fedora release 25".....)
upon booting, I was concerned to find an extra ssh authorized key in
~fedora/.ssh/authorized_keys, and soon realized this was _not_ a sanctioned
Fedora release (as confirmed from https://alt.fedoraproject.org/cloud/).
While yes, this is my fault for not starting from a trusted reference to
find a reliable AMI, I found this a pretty easy pit to fall into.
Don't know if there's a remedy, other than getting real Fedora images into
the frontier AWS regions, but thought that I should share...
--b
5:16 p.m.
I guess it isn't really a "security" thing in a Fedora context; Fedora
doesn't ship whatever this is, so there's no fix that Fedora can apply
to anything within Fedora to make it go away.
However, Fedora could potentially leverage its trademark. I've opened
https://pagure.io/Fedora-Council/tickets/issue/139 to let the Council
know; it would be up to them to decide whether there is an actionable
issue here. If not, I guess some kind of information campaign would be
reasonable, which I guess might also be something the Council would
pursue.
- J<
5:33 p.m.
All this sounds like reasonable responses... Thanks! --b
On Fri, Sep 8, 2017 at 6:16 PM, Jason L Tibbitts III <tibbs(a)math.uh.edu>
wrote:
I guess it isn't really a "security" thing in a Fedora
context; Fedora
doesn't ship whatever this is, so there's no fix that Fedora can apply
to anything within Fedora to make it go away.
However, Fedora could potentially leverage its trademark. I've opened
https://pagure.io/Fedora-Council/tickets/issue/139 to let the Council
know; it would be up to them to decide whether there is an actionable
issue here. If not, I guess some kind of information campaign would be
reasonable, which I guess might also be something the Council would
pursue.
- J<
7:04 p.m.
Interestingly, here's an attack along the same lines.....
https://lwn.net/Articles/733853/
On Fri, Sep 8, 2017 at 6:33 PM, Bowe Strickland <bowe(a)redhat.com> wrote:
All this sounds like reasonable responses... Thanks! --b
On Fri, Sep 8, 2017 at 6:16 PM, Jason L Tibbitts III <tibbs(a)math.uh.edu>
wrote:
> I guess it isn't really a "security" thing in a Fedora context; Fedora
> doesn't ship whatever this is, so there's no fix that Fedora can apply
> to anything within Fedora to make it go away.
>
> However, Fedora could potentially leverage its trademark. I've opened
> https://pagure.io/Fedora-Council/tickets/issue/139 to let the Council
> know; it would be up to them to decide whether there is an actionable
> issue here. If not, I guess some kind of information campaign would be
> reasonable, which I guess might also be something the Council would
> pursue.
>
> - J<
>
2419
days inactive
2427
days old
security@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
Bowe Strickland -
Jason L Tibbitts III