| |||||||||||||
Fedora, Red Hat, and distributor securityFedora, Red Hat, and distributor securityPosted Aug 26, 2008 6:10 UTC (Tue) by sbergman27 (guest, #10767)Parent article: Fedora, Red Hat, and distributor security
"""
Fortunately for the Fedora Project (and its users), an audit has determined that nobody made use of the key while the intruder was present. """
Uhhh, how do we know that, exactly?
"""
And how, exactly, can we be sure of that?
The strictly proper, though perhaps impractical procedure, at this point, would be for affected RHEL users to reinstall. And Fedora users, too, really. In this particular situation, there is too much at stake on all sides to allow for blind trust on the users' part.
(Log in to post comments)
Fedora, Red Hat, and distributor security Posted Aug 26, 2008 6:16 UTC (Tue) by drag (subscriber, #31333) [Link]
Or if your paraniod and your using Fedora/Redhat just disable Openssh.
Compile it from scratch or whatever you want.
Fedora, Red Hat, and distributor security Posted Aug 26, 2008 17:16 UTC (Tue) by sbergman27 (guest, #10767) [Link]
The CentOS folks are kind enough to do that for me.
Recompiling Fedora, though, is not as trivial as you seem to imply. It takes the CentOS team two weeks to a month to make the much smaller and more stable recompiled RHEL available after a new release. (Though individual package/security updates are lightning fast to arrive.)
Fedora, Red Hat, and distributor security Posted Aug 26, 2008 18:22 UTC (Tue) by drag (subscriber, #31333) [Link]
Well I didn't mean the entire OS. Just OpenSSH.
If you want a entire new OS, just use Debian or CentOS! :D
Fedora, Red Hat, and distributor security Posted Aug 26, 2008 6:18 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] If you've suddenly decided not to trust that Red Hat and Fedora are telling the truth, what are you going to install? You could install from older media, and then you get the security bugs back. To get the bug fixes, you have to upgrade, but since you say that you won't trust that they've gotten the bad guys out, how are you going to do that?There's no rational reason why a reinstall would be a good move.
Fedora, Red Hat, and distributor security Posted Aug 26, 2008 17:39 UTC (Tue) by sbergman27 (guest, #10767) [Link]
"""
If you've suddenly decided not to trust that Red Hat and Fedora are telling the truth, what are you going to install? """
Good point. It really depends upon how many hours, days, or weeks, one thinks that the "infrastructure issues" have actually been going on. Their carefully worded statement (written by RH Legal and channeled through Paul, IMO) implies that they caught it quickly. If one believes that, then one could simply reinstall and apply only the security related updates. (There is a yum plugin to do that.) As of Aug 25, 2008, they have not released any security updates since Aug 12, 2008 anyway. And I think that we can be reasonably certain that they have expunged the intruders at this time. If the baddies had actually been into their infrastructure for longer, it may make more sense to reinstall... another distro. (I would not be in that camp, though.) The problem, there, is deciding what to install. For servers SLES comes to mind. But I'd trust Novell even less during such a time of crisis. I'm really, really, not one to push Debian. But, in this context, I must admit that I would trust them, more than just about anyone else, to be forthcoming, communicative, and to do the right thing (after a number of absolutely *huge* and entertaining flame wars on their mailing lists) even if it meant damaging their reputation. Viewed from a financial liability standpoint, whereas Red Hat has much to protect, with Debian... well... you can't get blood out of a turnip.
Oh my. I fear that I may have succeeded in offending pretty much everybody with this post. Try to take it in the spirit in which it was intended. :-)
-Steve
|
|||||||||||||