Fedora distributes new keys
The Fedora project is back on track after its recent "infrastructure issues" with new package signing keys as well as packages and updates signed with the new keys. Fedora users should be able to pick up the new key and update their systems now, with a minimum of hassle—just verifying and accepting the new key. But, no further information has been released about exactly what went wrong, leading to more speculation and some worry in the Fedora community.
When a user gets a package from their distribution—or, more likely, a mirror of their distribution repository—they need to have some way to determine that it is a valid package. Distributors sign packages using a private key; that signature can then be verified by using the distribution's public key. If the private key gets compromised somehow, malicious packages could be created that would be indistinguishable from the real versions. This is why private signing keys must be well guarded, usually by isolating them on separate machines and encrypting them with a password.
According to one of the announcements about the problem, there is no evidence that the passphrase used to guard the Fedora private signing key has been compromised, though the clear implication is that the encrypted key file may have been captured. Out of an abundance of caution—and perhaps the concern that the passphrase might be guessed or brute-forced—the project decided to generate new keys. Along with new keys come various headaches: re-signing all of the packages as well as getting the keys installed on user's machines.
Getting the keys to users is largely a matter of getting the new fedora-release package—along with PackageKit and friends for GUI-enabled updates—installed. That package contains the new key and repository name (updates-newkey). Of necessity, those updates are the last that will be signed with the old key, so they will install on existing Fedora systems. Once that package makes its way out to the mirrors, users can install it so that they can proceed with any needed updates using the new key.
A yum clean metadata was helpful at the time of this writing to accelerate the process; depending on which mirror is being used and when it gets updated, that may not be needed. After fedora-release is installed, yum list updates gives a long list of updates available, all signed with the new key. All a user needs to do is verify the key and add it to the RPM key database. Verifying the key is a manual step as a user must check its fingerprint against that published on the web site. The method described requires importing the key into gpg, then doing gpg --fingerprint fedora@fedoraproject.org to see the key fingerprint; this is clearly something that could be made easier.
As part of phase one of the re-signing, Fedora has re-signed all Fedora 8 and 9 package updates. Phase two is ongoing, re-signing each package that is distributed as part of the original release of Fedora 8 and 9. Fedora 10 already has a new signing key as well. From the perspective of a possible compromise of the signing keys, things are well on their way back to normal. But there is still the nagging issue of how this all came about to begin with.
Several different questions about the intrusion were directed at the Fedora
board from
community members in their IRC meeting on
September 9. Unfortunately, there was no new information forthcoming,
nor was there any indication of when that information might be available.
According to the board member Tom "spot" Callaway, information will be
released "when we're told that we can by the parties running the
investigation, not a second before, and not a second later.
"
Red Hat is clearly holding all information about the intrusion as a closely guarded secret—whether that is at the behest of law enforcement or just lawyers is unclear. While there was no timeline given, the clear sense that one got from the meeting is that it might be weeks or months before clearance will be granted to even confirm that they know how the intrusion occurred. In addition, the Fedora board has not been officially briefed on the incident; some members have knowledge because of their Red Hat responsibilities, but the rest are in the dark. If one needed a reminder that Fedora is not an independent distribution, but instead is subject to the whims of Red Hat, this is a clear demonstration.
The justification for secrecy is that Red Hat is a publicly traded company so intrusions into its systems need to be treated differently. Some board members believe that had there not been an intrusion into the servers that handle packages for Red Hat Enterprise Linux—that is if it had only been Fedora servers that were affected—the incident would have been handled much more transparently. Overall, the board is clearly unhappy about the situation but, perhaps because they are almost all Red Hat employees, don't see that there is much that can be done about it. That too should serve as a reminder.
It should be noted that Debian has had several server compromises over the years (for example, 1 and 2), which is, perhaps, a poor record of server security, but it is an excellent example of transparency. Debian is rather well known for its independence, which is part of what allows it to be so open. Those incidents do serve as examples; perhaps they are not an exact fit for the current Fedora/RHEL intrusion but that remains to be seen.
It may very well be that Red Hat is between a rock and a hard place here. As a friend to free software, Red Hat is unparalleled, but once in a while it shows that it is foremost a corporation with responsibilities to its shareholders. When those responsibilities conflict with the transparency we have come to expect from free software projects—especially with regard to security issues—that transparency must be set aside. One can argue that Red Hat is being overly protective of the details—confirmation that they either know or do not know how the intrusion occurred for example—but that argument really can't be made until all the facts are known. For that we must wait for the process to run its course.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
Posted Sep 10, 2008 19:32 UTC (Wed)
by proski (subscriber, #104)
[Link]
Posted Sep 10, 2008 21:32 UTC (Wed)
by leoc (guest, #39773)
[Link] (4 responses)
Posted Sep 11, 2008 16:15 UTC (Thu)
by jake (editor, #205)
[Link] (3 responses)
It definitely does ask if you want to import the new key. If you want to be sure the key it is asking you to import is the actual key that Fedora issued, you have to verify that for yourself. Thus the manual step.
jake
Posted Sep 11, 2008 16:25 UTC (Thu)
by skvidal (guest, #3094)
[Link] (2 responses)
This isn't a new feature, it's been that way in yum for a looooong time now.
Posted Sep 11, 2008 16:34 UTC (Thu)
by jake (editor, #205)
[Link] (1 responses)
Fine, but that still doesn't verify that the key it is trying to import is the key you are wanting to import. In order to verify that (i.e. check the key signature), the manual step is required.
Since package signing keys were part of whatever the "infrastructure issues" were, it would seem prudent to verify them before importing them.
jake
Posted Sep 11, 2008 16:39 UTC (Thu)
by skvidal (guest, #3094)
[Link]
Posted Sep 10, 2008 23:09 UTC (Wed)
by BrucePerens (guest, #2510)
[Link] (20 responses)
What this says to me is that getting your engineering from an organization that isn't allowed to put the customer first isn't such a great idea. Debian could handle this better because of the independence that Fedora obviously doesn't have. Good engineering comes when the team has freedom of action.
Posted Sep 11, 2008 3:55 UTC (Thu)
by luya (subscriber, #50741)
[Link] (19 responses)
Posted Sep 11, 2008 9:10 UTC (Thu)
by russell (guest, #10458)
[Link] (18 responses)
Posted Sep 11, 2008 12:48 UTC (Thu)
by skvidal (guest, #3094)
[Link] (12 responses)
Posted Sep 11, 2008 14:30 UTC (Thu)
by grantingram (guest, #18390)
[Link] (11 responses)
That was a reference to a novel by George Orwell called "Animal Farm" about evil governments. A short explanation is found at bartleby.com The point I think the poster is making is: some members of the community (Fedora Board members who work for Red Hat) have access to information that others do not (Fedora Board members who do not work for Red Hat).
Posted Sep 11, 2008 14:42 UTC (Thu)
by skvidal (guest, #3094)
[Link] (10 responses)
Posted Sep 11, 2008 15:32 UTC (Thu)
by grantingram (guest, #18390)
[Link] (1 responses)
Actually I was just attempting to be helpful - I'm not the one who made the "more equal" comment. But I think that what makes them "more equal" is that they have information that others don't?
Posted Sep 11, 2008 18:11 UTC (Thu)
by rahulsundaram (subscriber, #21946)
[Link]
Posted Sep 11, 2008 16:07 UTC (Thu)
by jake (editor, #205)
[Link] (6 responses)
This seems to imply they are employees of the hosting/colo facility that Red Hat and Fedora use. If true, it is a little tidbit of information, which seem to keep dribbling out. Perhaps that is what you were trying to say on Tuesday in #fedora-board-public about Debian (or other distros) being just as susceptible to the information disclosure problem as Fedora/Red Hat currently are.
If so, beating around the bush is just causing annoyance to no good end. I recognize that you (and Fedora, perhaps even Red Hat) don't get to make those decisions, but whoever does should get an earful imo.
jake
Posted Sep 11, 2008 16:12 UTC (Thu)
by skvidal (guest, #3094)
[Link]
Three examples of this:
I didn't mean to confuse anything.
-sv
Posted Sep 11, 2008 17:36 UTC (Thu)
by quaid (guest, #26101)
[Link] (4 responses)
Jake, thanks for attending the meeting and engaging in a lively discussion. I appreciate that you are trying to separate your feelings/fears/concerns as a Fedora user from your role as a reporter.
In the open public question/discussion channel, I think you showed (and identified) your personal bias that the existence of Red Hat in Fedora's affairs makes Fedora less of a community distro. Myself, other Board members, and other community members provided several examples and reasons of how the situation with Fedora and with previous distro security problems are not equivalent.
There has never been an equivalent situation to what happened to Fedora, and it has nothing to do specifically with Red Hat. Red Hat just happens to be the incorporated-in-the-US entity involved that changed the tenor of the situation. That could happen to any distro, and it does not diminish their being a "truly community distro." I think Seth's example was a great one:
You and others keep asking questions that people are repeatedly saying they are not able to answer. Ironically, the answer is probably staring you in the face, but if you believe "... it comes from red hat legal or at least that is the perception", you continue to look for answers that implicate an Evil Overlord.
Posted Sep 11, 2008 20:16 UTC (Thu)
by jake (editor, #205)
[Link] (3 responses)
My use of "community" was not really describing what I meant. "Independent" is a much better word and the one I used in the article. I did not mean to push the hot button that Fedora folks have (understandably) about being a "community" distribution.
> if you believe "... it comes from red hat legal or at least that is the
I, like most folks, don't know what to believe. Someone is stopping you (perhaps not you personally, but Fedora) from telling us important things like whether you know how the intrusion happened. Whoever is doing that has done a grave disservice to the reputation of Fedora and Red Hat.
You, and others, have implied that it is some kind of law enforcement agency, perhaps even a National Security Letter, that is stopping *any* information from being released. If so, one hopes that Red Hat's lawyers are busy doing whatever they can to circumvent that. Fedora and Red Hat have a responsibility to their customers and the community that is being set aside.
It's not that folks don't understand that Fedora cannot say any more than it has, it's that they fairly strongly believe that more could be said without jeopardizing whatever ongoing investigation there is. While we eventually want to know what all the hubbub is about, what we want to know *now*, nearly a month after the incident, is what, if anything, we need to be on the lookout for. If there is some unknown exploit out there, many eyes are more likely to find it than one. If there isn't, then someone should force the entity responsible to *say* so.
jake
Posted Sep 11, 2008 20:38 UTC (Thu)
by pr1268 (subscriber, #24648)
[Link]
Very well said! And I'd also like to thank you, Jake, for participating in this discussion. Even as a non-RH/Fedora user, I'm still following this whole story closely as the incident, its aftermath, and RH's/Fedora's corrective strategies all impact Free/Open Source in general.
Posted Sep 11, 2008 20:51 UTC (Thu)
by skvidal (guest, #3094)
[Link] (1 responses)
"These efforts have also not resulted in the discovery of additional security vulnerabilities in packages provided by Fedora."
and then I'll quote from my own blog:
Hope this helps.
Posted Sep 11, 2008 21:08 UTC (Thu)
by jake (editor, #205)
[Link]
Which can be read several different ways:
- we don't know how the intrusion occurred
I know you are trying to be helpful and you folks don't like this any more than I do, but after almost a month, I think we are due more than lawyer-ese like the above.
jake
Posted Sep 12, 2008 11:03 UTC (Fri)
by russell (guest, #10458)
[Link]
Posted Sep 11, 2008 15:03 UTC (Thu)
by pjones (subscriber, #31722)
[Link] (4 responses)
It is only natural that many of the people whose histories with Fedora are the longest are employees of Red Hat. Thus, in a situation like this, it's true that those people are going to be the most trusted. It's not an Animal Farm scenario; there are elders, and the elders are those who are called upon for guidance and action when times are tough. That's responsibility, not exclusivity.
Posted Sep 12, 2008 9:27 UTC (Fri)
by russell (guest, #10458)
[Link] (3 responses)
This snippet of text is taken directly from the Steering Committees charter.
I have no doubt that they believe they are being responsible. But they are also being exclusive. Time will tell if this really is an animal farm scenario. Right now it certainly feels like it.
Posted Sep 13, 2008 0:29 UTC (Sat)
by jspaleta (subscriber, #50639)
[Link] (2 responses)
I'm pretty sure that the Fedora Documentation Team aren't directly involved in the incident handling, so a close reading of their charter is probably unwarranted. And even if someone were to read it looking for insight, there probably very little there that can be used the context for the discussion at hand, since the documentation group isn't directly involved.
When we have an incident response plan, I'll do my best to make sure that that Documentation Group has an opportunity to be a part of the process of documenting that plan for public consumption.
-jef
Posted Sep 13, 2008 6:01 UTC (Sat)
by russell (guest, #10458)
[Link] (1 responses)
Doing a search for more charters showed very little else. However, when reading about the board I noticed a mailing list where some things are discussed in private. I didn't expect to see that. What sort of things would those be? This appears to be something that the Docs project wouldn't do? So what exactly are the rules of this community? Something clearing defined and easy to find would be nice if not essential for a community.
Posted Sep 14, 2008 11:35 UTC (Sun)
by rahulsundaram (subscriber, #21946)
[Link]
Posted Sep 15, 2008 2:19 UTC (Mon)
by motk (subscriber, #51120)
[Link]
Seth is far too pretty for the Old Nick.
I'm not seeing where this is at all contentious. As I've said before, if RH and Fedora haven't earnt some slack here, then no-one can. The flip side to 'community' is 'sound governance', so let them get on with it.
Is there any indication that the Red Hat and the Fedora compromises are related? Any information coming from Red Hat and Fedora appears to indicate that it were two separate accidents.
Two break-ins or one?
Fedora distributes new keys
Fedora distributes new keys
> before it performs the update, so I don't think that manual step is
> actually required.
Fedora distributes new keys
Fedora distributes new keys
Fedora distributes new keys
Fedora distributes new keys
it shows that it is foremost a corporation with responsibilities to its shareholders. When those responsibilities conflict with the transparency we have come to expect from free software projects—especially with regard to security issues—that transparency must be set aside.
Fedora distributes new keys
Fedora distributes new keys
Fedora distributes new keys
More Equal...
More Equal...
More Equal...
More Equal...
More Equal...
> Some are red hat employees, some are not.
More Equal...
- Me
- Dennis Gilmore
- Ricky Zhou
Same problem, different perceptions
skvidal lwnjake: here's an example
...
skvidal lwnjake: a debian server gets crack[ed]
skvidal lwnjake: the cracker hosts A LOT of kiddie porn
skvidal and terrorist documentation
...
skvidal the hosting provider gets a national security letter
skvidal debian is down and out
skvidal and not allowed
skvidal AT ALL
skvidal to speak about it
skvidal would that be a failing of debian?
lwnjake we can discuss scenarios all day, it doesn't change the fact that you folks can't even confirm whether you know how the intrusion occurred
skvidal or would it be the fact that law is different
Same problem, different perceptions
> of Red Hat in Fedora's affairs makes Fedora less of a community distro.
> perception", you continue to look for answers that implicate an Evil
> Overlord.
Same problem, different perceptions
Same problem, different perceptions
" Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."
Same problem, different perceptions
> security vulnerabilities in packages provided by Fedora."
- we do know, but it wasn't an "additional security vulnerability" in a package that Fedora ships, which leaves packages that Fedora doesn't ship as well as known, but unpatched, vulnerabilities
- probably other interpretations depending on what the meaning of "is" is
More Equal...
Fedora distributes new keys
Open content is even more contentious than open source software. There is a large quantity of opposition to keeping information free. Persecution and prosecution of people who work to keep informed content free continues. Because of the danger of self-censorship in a closed or partially open format, it is safer to work entirely in the open.
Fedora distributes new keys
Fedora distributes new keys
Fedora distributes new keys
Fedora distributes new keys
Fedora distributes new keys
* Feds get called in
* Feds say "discuss this not, or else"
* Seth says "screw you, copper, community etc blah" and spills the beans
* HAPPY FUN GAOL TIME