Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
we'll see about that ;).
> Red Hat signing key compromise didn't happen on several occasions.
i'm sure they'd be really glad to know that for sure but as these things tend to stand, they cannot know that so you can't know that either.
> Just once
you mean one compromise became public enough that it couldn't be swept under the carpet.
> and details are at http://rhn.redhat.com/errata/RHSA-2008-0855.html.
there're no details about the compromise and that on-going investigation seems to have never finished as 4 years after we still don't know what exactly happened (hello kernel.org). yes, you don't know that either.
rpm: code execution
Posted Apr 5, 2012 23:47 UTC (Thu) by rahulsundaram (subscriber, #21946)
Posted Apr 6, 2012 14:36 UTC (Fri) by PaXTeam (subscriber, #24616)
Posted Apr 7, 2012 5:29 UTC (Sat) by rahulsundaram (subscriber, #21946)
Posted Apr 7, 2012 19:28 UTC (Sat) by PaXTeam (subscriber, #24616)
let's keep this civil ;).
> Proving a negative is not possible.
actually, it depends. i'm pretty sure you could prove that no numbers in the set of the integer powers of 2 are divisible by 3. besides, you're basically saying that you wanted to contradict the OP by making an unprovable statement.
> Keys got changed as a precaution which again I am sure you were already aware of.
i know what they said but that's not what *you* said. you made the blanket statement (again, to contradict the OP) that the Fedora signing key wasn't compromised. not even the Fedora guys dared to make such a statement, why did you then?
Posted Apr 7, 2012 20:33 UTC (Sat) by rahulsundaram (subscriber, #21946)
Posted Apr 7, 2012 21:35 UTC (Sat) by PaXTeam (subscriber, #24616)
> OP made a claim without evidence.
the reason for that is simple: when RH/Fedora guys learned of the compromise, they got irrefutable evidence that 1. such a stunt was actually possible, 2. at least one had entity successfuly pulled it off. from this any incident responder will conclude that it must have then been possible for other entities as well and that is actually the reason for the Fedora keychange (RH's saving grace was the HSM): they did *not* have the option/choice of not changing the signing key, they *had* to do it because at that point someone else may have very well had been signing fake packages left and right. to conclude, the OP has every reason to suspect more than one compromise, down to the signing key just because it had actually occured once in the past already. yes that also means that all this package signing security buys one only so much.
Posted Apr 8, 2012 1:58 UTC (Sun) by rahulsundaram (subscriber, #21946)
Posted Apr 8, 2012 18:55 UTC (Sun) by PaXTeam (subscriber, #24616)
why would i have asked him/her if i fundamentally find no fault with his/her thinking? (i explained in previous posts why)
> So I don't find your style convincing either.
for that matter you didn't ask OP *anything* either, you went for a straight counterclaim (more like speculation, really), so it seems you don't find your own style convincing either ;).
> The latter part is just speculation and you are free to engage in it.
it's no less speculation than your own speculation (or as any security profession would call it, wishful thinking ;).
Posted Apr 8, 2012 20:50 UTC (Sun) by rahulsundaram (subscriber, #21946)
Posted Apr 8, 2012 21:07 UTC (Sun) by PaXTeam (subscriber, #24616)
Posted Apr 8, 2012 23:03 UTC (Sun) by rahulsundaram (subscriber, #21946)
Posted Apr 6, 2012 15:56 UTC (Fri) by amacater (subscriber, #790)
Fedora infrastructure was compromised at some separate time: hence the one Fedora instance where there were two sets of packages - one from "old key" one from "new key".
My comment was from memory: but there was more than one occasion, as I recalled.
Posted Apr 7, 2012 5:34 UTC (Sat) by rahulsundaram (subscriber, #21946)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds