Infrastructure report, 2008-08-22 UTC 1200

[Michael J Gruber]

Alexandre Dulaunoy venit, vidit, dixit 22.08.2008 16:33:
> On Fri, Aug 22, 2008 at 2:00 PM, Paul W. Frields <stickster at gmail.com> wrote:
> 
> 
>> One of the compromised Fedora servers was a system used for signing
>> Fedora packages. However, based on our efforts, we have high confidence
>> that the intruder was not able to capture the passphrase used to secure
>> the Fedora package signing key.
> 
> Sorry but there is information on the redhat.com website is somehow
> contradicting
> the fact that the attacker was not able to capture the passphrase (and
> sign packages) :
> 
> http://www.redhat.com/security/data/openssh-blacklist.html
> 
> "In connection with the incident, the intruder was able to sign a
> small number of
> OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and
> x86_64 architectures only)
> and Red Hat Enterprise Linux 5 (x86_64 architecture only)."
> 
> For what I know, there is a separation between Red Hat and the Fedora
> Project but if the attacker
> was able to sign packages for Red Hat Enterprise.... Why he was not
> able for Fedora packages (including
> source packages)?
> 
> Could you provide us more information about differences in the signing process
> between Fedora and Red Hat? At least to give us some views why we
> should be confident
> in the past and current signed packages.
> 
> Thanks a lot,
> 
> adulau

As Paul pointed out, the keys are different, and the Fedora key was not
in use (no passphrase typed in) during the critical time frame. Funny
thing is:

- Fedora's key will be changed, not RHEL's, which has been compromised.
- High security private keys are best kept in bare metal and used on
boxes without incoming network. This doesn't seem to apply to the
package signing keys.

Michael