* Miles Sabin <miles@milessabin.com> [20080824 16:39]:
> We know nothing of the sort. In fact the RH announcement suggests
> exactly the opposite ... why else distribute a script to check for
> compromised RHEL packages?

Because some people don't exclusively use RHN ?

/Anders

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Sun, Aug 24, 2008 at 5:21 PM, Anders Karlsson <anders@trudheim.co.uk> wrote:
> * Miles Sabin <miles@milessabin.com> [20080824 16:39]:
>> We know nothing of the sort. In fact the RH announcement suggests
>> exactly the opposite ... why else distribute a script to check for
>> compromised RHEL packages?
>
> Because some people don't exclusively use RHN ?

And that matters because?

Cheers,


Miles

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

* Miles Sabin <miles@milessabin.com> [20080824 19:02]:
> On Sun, Aug 24, 2008 at 5:21 PM, Anders Karlsson <anders@trudheim.co.uk> wrote:
> > * Miles Sabin <miles@milessabin.com> [20080824 16:39]:
> >> We know nothing of the sort. In fact the RH announcement suggests
> >> exactly the opposite ... why else distribute a script to check for
> >> compromised RHEL packages?
> >
> > Because some people don't exclusively use RHN ?
>
> And that matters because?

Right - so you have no idea how RHEL updates are distributed, or about
RHEL infrastructure, yet you quite happily will draw conclusions which
ever way takes your fancy?

If you are a paying Red Hat customer, call your support representative
and *ask* them rather than wildly speculate on the list. You admit
that you do not have enough facts to draw conclusions, and then
immediately proceed to draw conclusions..? What gives?

Re-read http://www.redhat.com/security/data/openssh-blacklist.html and
take your time with it.

"We are issuing this alert primarily for those who may obtain Red Hat
binary packages via channels other than those of official Red Hat
subscribers."

Do you now see the reason for the script?

/Anders

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Sat, 2008-08-23 at 19:11 -0400, Horst H. von Brand wrote:
> Why couldn't this much (little?) be told the world when it was discovered?
> I believe the rampant speculation around this issue has done much more to
> damage Fedora than anything that could have come out of this announcement.

I agree that rampant speculation is bad, which is why we encourage
people not to engage in it in the absence of facts. Nevertheless, open
discussion *is* encouraged, and sometimes those two precepts simply come
into conflict. Someone asked this question on FAB list, which I've
answered in the following thread:

http://www.redhat.com/archives/fedora-advisory-board/2008-August/msg00083.html

--
Paul W. Frields
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://paul.frields.org/ - - http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Miles Sabin írta:


Signing is a thing, distributing a signed package through the official ways
is another. The latter didn't happen as we know.


We know nothing of the sort. In fact the RH announcement suggests
exactly the opposite ... why else distribute a script to check for
compromised RHEL packages?


Because there are people who update their systems with "gotten" packages
(without subscription). If one of them downloads a malicious package
form somewhere, the attacker wins.


--
BÉRES László RHCE, RHCX senior IT engineer, trainer
Red Hat, Fedora, CentOS, SELinux: http://sys-admin.hu

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

> Paul W. Frields wrote:
> > Last week we discovered that some Fedora servers were illegally
> > accessed. The intrusion into the servers was quickly discovered, and the
> > servers were taken offline.
> > [...]

are there any news? can we safely install packages from fedora
repositories?



--
Vassilios Kotoulas
GPG Key ID 0xb1703df8

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

On Fri, 2008-08-29 at 19:04 +0200, Vassilios Kotoulas wrote:
> are there any news? can we safely install packages from fedora
> repositories?

I've only seen messages that the ball is rolling towards getting ready.
I suggest you join the Fedora Announce list, I'm sure that an
announcement will be made there when they're ready. It'll probably be
reposted here, too.

There's very few messages on the announce list, you won't be deluged by
scads more mail.

--
[tim@localhost ~]$ uname -r
2.6.25.14-108.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

On Mon, 2008-09-01 at 19:27 +0930, Tim wrote:
> On Fri, 2008-08-29 at 19:04 +0200, Vassilios Kotoulas wrote:
> > are there any news? can we safely install packages from fedora
> > repositories?
>
> I've only seen messages that the ball is rolling towards getting ready.
> I suggest you join the Fedora Announce list, I'm sure that an
> announcement will be made there when they're ready. It'll probably be
> reposted here, too.
>
> There's very few messages on the announce list, you won't be deluged by
> scads more mail.

We've announced already that we've assessed the risk as being low, so we
are no longer advising that people avoid installs or updates:
http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

However, updates created after the time of our service interruption may
not yet be available, since we are working on a package signing key
update. You will still be able to install and update from packages
created before that point.

--
Paul W. Frields
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://paul.frields.org/ - - http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines