[NBLUG/talk] Heads up for Fedora users
Dave Sisley
dsisley at sonic.net
Fri Aug 22 08:49:13 PDT 2008
Jack Smith wrote:
> Has anyone heard anything more about this?
>
I too was spooked by the previous messages, and I've been putting off
any upgrades until I heard it was safe. It looks like it's okay to
update now.
I just poked thru the message boards, and the latest posting at the
fedora-announce-list in the previously cited thread was put up today:
https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
... and includes the following quote:
Our previous warnings against further package updates were based on an
abundance of caution, out of respect for our users. This is also why we
are proceeding with plans to change the Fedora package signing key. We
have already started planning and implementing other additional
safeguards for the future. At this time we are confident there is little
risk to Fedora users who wish to install or upgrade signed Fedora
packages.
----
I use yum, and I've double-checked to make sure that the conf file
(/etc/yum.conf) has pgpcheck turned on (pgpcheck=1); I have been known
to turn it off (to zero) in order to install an unsigned rpm with yum.
So if I read the latest message correctly, Fedora is saying a server of
theirs was compromised, but they are confident that the packages offered
are not affected. To be super-safe, they are changing the pgp keys in
the chance that the originals were compromised.
I just tried running 'yum update' to see what was currently available,
planning to pick something minor to see if it would update, but there's
'No Packages marked for Update'. My last update was on the 15th. I'm
running an update now on a not-heavily used work box that hadn't been
updated since May. I will post if there's an obvious problem with the
update.
I'd appreciate anyone with a better understanding than mine of the
issues involved taking a look at the post and offering their take.
-dave.
> On Fri, Aug 15, 2008 at 12:34 PM, Jack Smith <jack.delbert at gmail.com
> <mailto:jack.delbert at gmail.com>> wrote:
>
> OK, rereading "don't download or update any additional packages"
> seems to mean everything. Drat.
>
>
> On Fri, Aug 15, 2008 at 12:19 PM, Jack Smith
> <jack.delbert at gmail.com <mailto:jack.delbert at gmail.com>> wrote:
>
> Do they mean "don't update anything", "don't update Fedora",
> or we don't know yet?
>
> On Fri, Aug 15, 2008 at 9:30 AM, Scott Doty <scott at ponzo.net
> <mailto:scott at ponzo.net>> wrote:
>
> Word on the street (and in #fedora on Freenode) is: DON'T
> UPDATE.
>
> https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html
>
> It may be coincidence, but there was just a change to
> package permissions'
> policy:
>
>
> https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00007.html
>
> ...hoping to hear soon what the deal is..
>
> -Scott
>
> _______________________________________________
> talk mailing list
> talk at nblug.org <mailto:talk at nblug.org>
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
>
> --
> Jack Smith
>
> English doesn't borrow from other languages -- English follows
> other languages down dark alleys and takes what it wants.
>
>
>
>
> --
> Jack Smith
>
> English doesn't borrow from other languages -- English follows
> other languages down dark alleys and takes what it wants.
>
>
>
>
> --
> Jack Smith
>
> English doesn't borrow from other languages -- English follows other
> languages down dark alleys and takes what it wants.
> ------------------------------------------------------------------------
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
--
Dave Sisley
dsisley at sonic.net
roth-sisley.net
More information about the talk
mailing list