On Thu, Sep 18, 2008 at 3:22 AM, Rahul Sundaram <[EMAIL PROTECTED]> wrote: > > A comparison not is not 1:1. Debian problem is self inflicted. They > patched openssh incorrectly which resulted in a security vulnerability > for themselves and derivatives like Ubuntu. Upstream openssh and other > distributions not related to Debian were not affected. Red Hat is a > publicly traded company whose servers were illegally accessed. Not the > same thing at all. Bruce Perens also clearly got several of his details > wrong as seen is his blog post and it is misleading to say the least. > > http://blog.perens.com/d/2008/9/11/49268 > > * Fedora keys were not used to sign the RHEL ssh package. > * Fedora and RHEL gpg keys are different > * We have no evidence of Fedora gpg keys ever been used correctly > * No tampered packages reached either the Fedora repository or RHEL channel
Thanks for this information. This has not really been publicised well before. I am going to believe each and every statement of yours which you have made on this thread. I visited the fedoraproject.org site just now. I don't any any mention of any security issue there at all. If there is some link on this matter at the fedora site, please post that link here. -- Sriram -- ______________________________________________________________________ Pune GNU/Linux Users Group Mailing List: (plug-mail@plug.org.in) List Information: http://plug.org.in/cgi-bin/mailman/listinfo/plug-mail Send 'help' to [EMAIL PROTECTED] for mailing instructions.