Kaustubh Gadkari wrote: > On Thu, Sep 11, 2008 at 2:21 AM, Sudhanwa Jogalekar > <[EMAIL PROTECTED]> wrote: >> Forwarded message FYI. >> >> Probably people from RH or Fedora can comment on this mail. > > Bruce Perens had a few good comments about the situation and compared > the way Debian handled their SSH bug vs the way RedHat handled it. > > http://linux.slashdot.org/article.pl?sid=08/09/10/029231
A comparison not is not 1:1. Debian problem is self inflicted. They patched openssh incorrectly which resulted in a security vulnerability for themselves and derivatives like Ubuntu. Upstream openssh and other distributions not related to Debian were not affected. Red Hat is a publicly traded company whose serves were illegally accessed. Not the same thing at all. Bruce Perens also clearly got several of his details wrong as seen is his blog post and it is misleading to say the least. http://blog.perens.com/d/2008/9/11/49268 * Fedora keys were not used to sign the RHEL ssh package. * Fedora and RHEL gpg keys are different * We have no evidence of Fedora gpg keys ever been used correctly * No tampered packages reached either the Fedora repository or RHEL channel Rahul -- ______________________________________________________________________ Pune GNU/Linux Users Group Mailing List: (plug-mail@plug.org.in) List Information: http://plug.org.in/cgi-bin/mailman/listinfo/plug-mail Send 'help' to [EMAIL PROTECTED] for mailing instructions.
