LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora intrusion update

Fedora intrusion update

Posted Sep 19, 2008 23:08 UTC (Fri) by vonbrand (subscriber, #4458)
In reply to: Fedora intrusion update by kragil
Parent article: Fedora intrusion update

All they say is that they don't have all the details yet (and maybe they can't share what they have right now, for whatever reasons). They have told once and again that no compromised packages have been shipped, and that the Fedora infrastructure is believed safe now.

An investigation into such an incident is very time-consuming, and making sure that everything is safe (yes, paranoia does kick in hard after something like this happens) is a hard, long-winded job. Plus they are putting procedures in place to switch over to new signing keys, and defining guidelines for handling such intrusions in the future.

Yes, it can be argued that said procedures should have been in place for a long time, but hindsight is always 20-20.

(Log in to post comments)

Fedora intrusion update

Posted Sep 19, 2008 23:29 UTC (Fri) by jspaleta (subscriber, #50639) [Link]

Speaking of incident procedures. If you can point me to specific well documented pubic incident reporting procedures, I'd gladly take a look at them as a reference for Fedora's. I know Debian had an intrusion in 2004, and did a very good job of dealing with it. But its not clear if the Debian people were working from an established process or just winging it. Does Debian have a publicly communicated process on how intrusions are to be handled and communicated when they occur? If they do I'd love to read over it.

-jef

Fedora intrusion update

Posted Sep 20, 2008 5:39 UTC (Sat) by sbergman27 (subscriber, #10767) [Link]

No doubt you are looking for something fiddlingly detailed. And there is no doubt something more specific. But it all pretty much follows from this:

http://www.debian.org/social_contract

It may be that more distros need one, or need to pay more than lip service to what they have.

Things only get complicated when the one wants to apply "spin" to the disclosure, or lack thereof.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds