[vox] Fwd: Re: Heads up for Fedora users

Bill Kendrick nbs at sonic.net
Fri Aug 22 13:41:35 PDT 2008


Seen on NBLUG, FYI:


----- Forwarded message from Dave Sisley -----

Date: Fri, 22 Aug 2008 08:49:13 -0700
From: Dave Sisley
Subject: Re: [NBLUG/talk] Heads up for Fedora users
To: "General NBLUG chatter about anything Linux, answers to questions,
	etc." <talk at nblug.org>

Jack Smith wrote:
> Has anyone heard anything more about this?
>
I too was spooked by the previous messages, and I've been putting off 
any upgrades until I heard it was safe.  It looks like it's okay to 
update now.

I just poked thru the message boards, and the latest posting at the 
fedora-announce-list in the previously cited thread was put up today:

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

... and includes the following quote:

Our previous warnings against further package updates were based on an
abundance of caution, out of respect for our users. This is also why we
are proceeding with plans to change the Fedora package signing key. We
have already started planning and implementing other additional
safeguards for the future. At this time we are confident there is little
risk to Fedora users who wish to install or upgrade signed Fedora
packages.

----

I use yum, and I've double-checked to make sure that the conf file 
(/etc/yum.conf) has pgpcheck turned on (pgpcheck=1);  I have been known 
to turn it off (to zero) in order to install an unsigned rpm with yum.

So if I read the latest message correctly, Fedora is saying a server of 
theirs was compromised, but they are confident that the packages offered 
are not affected.  To be super-safe, they are changing the pgp keys in 
the chance that the originals were compromised. 

I just tried running 'yum update' to see what was currently available, 
planning to pick something minor to see if it would update, but there's 
'No Packages marked for Update'.  My last update was on the 15th.  I'm 
running an update now on a not-heavily used work box that hadn't been 
updated since May.  I will post if there's an obvious problem with the 
update.

I'd appreciate anyone with a better understanding than mine of the 
issues involved taking a look at the post and offering their take.

-dave.

> On Fri, Aug 15, 2008 at 12:34 PM, Jack Smith wrote:
>
>     OK, rereading "don't download or update any additional packages"
>     seems to mean everything.  Drat.
>
>
>     On Fri, Aug 15, 2008 at 12:19 PM, Jack Smith wrote:
>
>         Do they mean "don't update anything", "don't update Fedora",
>         or we don't know yet?
>
>         On Fri, Aug 15, 2008 at 9:30 AM, Scott Doty wrote:
>
>             Word on the street (and in #fedora on Freenode) is:  DON'T
>             UPDATE.
>
>             https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html
>
>             It may be coincidence, but there was just a change to
>             package permissions'
>             policy:
>
>              
>             https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00007.html
>
>             ...hoping to hear soon what the deal is..
>
>              -Scott
>         -- 
>         Jack Smith
>
>         English doesn't borrow from other languages -- English follows
>         other languages down dark alleys and takes what it wants.
>     -- 
>     Jack Smith
>
>     English doesn't borrow from other languages -- English follows
>     other languages down dark alleys and takes what it wants.
> -- 
> Jack Smith
>
> English doesn't borrow from other languages -- English follows other 
> languages down dark alleys and takes what it wants.

-- 
Dave Sisley
dsisley at sonic.net
roth-sisley.net

----- End forwarded message -----

-- 
-bill!
"Tux Paint" - free children's drawing software for Windows / Mac OS X / Linux!
Download it today!  http://www.tuxpaint.org/


More information about the vox mailing list