[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Fedora distributes new keys

By Jake Edge
September 10, 2008

The Fedora project is back on track after its recent "infrastructure issues" with new package signing keys as well as packages and updates signed with the new keys. Fedora users should be able to pick up the new key and update their systems now, with a minimum of hassle—just verifying and accepting the new key. But, no further information has been released about exactly what went wrong, leading to more speculation and some worry in the Fedora community.

When a user gets a package from their distribution—or, more likely, a mirror of their distribution repository—they need to have some way to determine that it is a valid package. Distributors sign packages using a private key; that signature can then be verified by using the distribution's public key. If the private key gets compromised somehow, malicious packages could be created that would be indistinguishable from the real versions. This is why private signing keys must be well guarded, usually by isolating them on separate machines and encrypting them with a password.

According to one of the announcements about the problem, there is no evidence that the passphrase used to guard the Fedora private signing key has been compromised, though the clear implication is that the encrypted key file may have been captured. Out of an abundance of caution—and perhaps the concern that the passphrase might be guessed or brute-forced—the project decided to generate new keys. Along with new keys come various headaches: re-signing all of the packages as well as getting the keys installed on user's machines.

Getting the keys to users is largely a matter of getting the new fedora-release package—along with PackageKit and friends for GUI-enabled updates—installed. That package contains the new key and repository name (updates-newkey). Of necessity, those updates are the last that will be signed with the old key, so they will install on existing Fedora systems. Once that package makes its way out to the mirrors, users can install it so that they can proceed with any needed updates using the new key.

A yum clean metadata was helpful at the time of this writing to accelerate the process; depending on which mirror is being used and when it gets updated, that may not be needed. After fedora-release is installed, yum list updates gives a long list of updates available, all signed with the new key. All a user needs to do is verify the key and add it to the RPM key database. Verifying the key is a manual step as a user must check its fingerprint against that published on the web site. The method described requires importing the key into gpg, then doing gpg --fingerprint fedora@fedoraproject.org to see the key fingerprint; this is clearly something that could be made easier.

As part of phase one of the re-signing, Fedora has re-signed all Fedora 8 and 9 package updates. Phase two is ongoing, re-signing each package that is distributed as part of the original release of Fedora 8 and 9. Fedora 10 already has a new signing key as well. From the perspective of a possible compromise of the signing keys, things are well on their way back to normal. But there is still the nagging issue of how this all came about to begin with.

Several different questions about the intrusion were directed at the Fedora board from community members in their IRC meeting on September 9. Unfortunately, there was no new information forthcoming, nor was there any indication of when that information might be available. According to the board member Tom "spot" Callaway, information will be released "when we're told that we can by the parties running the investigation, not a second before, and not a second later."

Red Hat is clearly holding all information about the intrusion as a closely guarded secret—whether that is at the behest of law enforcement or just lawyers is unclear. While there was no timeline given, the clear sense that one got from the meeting is that it might be weeks or months before clearance will be granted to even confirm that they know how the intrusion occurred. In addition, the Fedora board has not been officially briefed on the incident; some members have knowledge because of their Red Hat responsibilities, but the rest are in the dark. If one needed a reminder that Fedora is not an independent distribution, but instead is subject to the whims of Red Hat, this is a clear demonstration.

The justification for secrecy is that Red Hat is a publicly traded company so intrusions into its systems need to be treated differently. Some board members believe that had there not been an intrusion into the servers that handle packages for Red Hat Enterprise Linux—that is if it had only been Fedora servers that were affected—the incident would have been handled much more transparently. Overall, the board is clearly unhappy about the situation but, perhaps because they are almost all Red Hat employees, don't see that there is much that can be done about it. That too should serve as a reminder.

It should be noted that Debian has had several server compromises over the years (for example, 1 and 2), which is, perhaps, a poor record of server security, but it is an excellent example of transparency. Debian is rather well known for its independence, which is part of what allows it to be so open. Those incidents do serve as examples; perhaps they are not an exact fit for the current Fedora/RHEL intrusion but that remains to be seen.

It may very well be that Red Hat is between a rock and a hard place here. As a friend to free software, Red Hat is unparalleled, but once in a while it shows that it is foremost a corporation with responsibilities to its shareholders. When those responsibilities conflict with the transparency we have come to expect from free software projects—especially with regard to security issues—that transparency must be set aside. One can argue that Red Hat is being overly protective of the details—confirmation that they either know or do not know how the intrusion occurred for example—but that argument really can't be made until all the facts are known. For that we must wait for the process to run its course.


Index entries for this article
SecurityDistribution security

to post comments

Two break-ins or one?

Posted Sep 10, 2008 19:32 UTC (Wed) by proski (guest, #104) [Link]

Is there any indication that the Red Hat and the Fedora compromises are related? Any information coming from Red Hat and Fedora appears to indicate that it were two separate accidents.

Fedora distributes new keys

Posted Sep 10, 2008 21:32 UTC (Wed) by leoc (guest, #39773) [Link] (4 responses)

When you do the update it will ask you if it is ok to import the new key before it performs the update, so I don't think that manual step is actually required.

Fedora distributes new keys

Posted Sep 11, 2008 16:15 UTC (Thu) by jake (editor, #205) [Link] (3 responses)

> When you do the update it will ask you if it is ok to import the new key
> before it performs the update, so I don't think that manual step is
> actually required.

It definitely does ask if you want to import the new key. If you want to be sure the key it is asking you to import is the actual key that Fedora issued, you have to verify that for yourself. Thus the manual step.

jake

Fedora distributes new keys

Posted Sep 11, 2008 16:25 UTC (Thu) by skvidal (guest, #3094) [Link] (2 responses)

If you run yum with the -y it will import the key automatically. This is so that cron jobs don't start stalling out everywhere.

This isn't a new feature, it's been that way in yum for a looooong time now.

Fedora distributes new keys

Posted Sep 11, 2008 16:34 UTC (Thu) by jake (editor, #205) [Link] (1 responses)

> If you run yum with the -y it will import the key automatically.

Fine, but that still doesn't verify that the key it is trying to import is the key you are wanting to import. In order to verify that (i.e. check the key signature), the manual step is required.

Since package signing keys were part of whatever the "infrastructure issues" were, it would seem prudent to verify them before importing them.

jake

Fedora distributes new keys

Posted Sep 11, 2008 16:39 UTC (Thu) by skvidal (guest, #3094) [Link]

Agreed. It is a great idea. I suggest verifying keys to everyone. I just wanted to be clear that it wasn't REQUIRED in any code sense.

Fedora distributes new keys

Posted Sep 10, 2008 23:09 UTC (Wed) by BrucePerens (guest, #2510) [Link] (20 responses)

it shows that it is foremost a corporation with responsibilities to its shareholders. When those responsibilities conflict with the transparency we have come to expect from free software projects—especially with regard to security issues—that transparency must be set aside.

What this says to me is that getting your engineering from an organization that isn't allowed to put the customer first isn't such a great idea. Debian could handle this better because of the independence that Fedora obviously doesn't have. Good engineering comes when the team has freedom of action.

Fedora distributes new keys

Posted Sep 11, 2008 3:55 UTC (Thu) by luya (subscriber, #50741) [Link] (19 responses)

What would be wise is to wait the result of investigations. As a cCSI, would you fully reveal information before gathering evidences? Unlike Debian, Red Hat is a company.

Fedora distributes new keys

Posted Sep 11, 2008 9:10 UTC (Thu) by russell (guest, #10458) [Link] (18 responses)

But Fedora is suppose to be a community and unfortunately it appears some people in the community are becoming more equal than others.

Fedora distributes new keys

Posted Sep 11, 2008 12:48 UTC (Thu) by skvidal (guest, #3094) [Link] (12 responses)

More equal, how?

More Equal...

Posted Sep 11, 2008 14:30 UTC (Thu) by grantingram (guest, #18390) [Link] (11 responses)

That was a reference to a novel by George Orwell called "Animal Farm" about evil governments. A short explanation is found at bartleby.com

The point I think the poster is making is: some members of the community (Fedora Board members who work for Red Hat) have access to information that others do not (Fedora Board members who do not work for Red Hat).

More Equal...

Posted Sep 11, 2008 14:42 UTC (Thu) by skvidal (guest, #3094) [Link] (10 responses)

I know where the reference is from. What I wanted to know is why you thought that made them 'more equal'. To be clear the 'more equal' folks aren't just employees of red hat. They're the folks who were on the site of the intrusion earliest. Some are red hat employees, some are not.

More Equal...

Posted Sep 11, 2008 15:32 UTC (Thu) by grantingram (guest, #18390) [Link] (1 responses)

Actually I was just attempting to be helpful - I'm not the one who made the "more equal" comment.

But I think that what makes them "more equal" is that they have information that others don't?

More Equal...

Posted Sep 11, 2008 18:11 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

That would true of any sort of project, that some people have more information than others. There is all sort of private and confidential data in many large projects. Even many community distributions have private mailing lists that deal with people, legal and other issues. Doesn't really change their overall nature.

More Equal...

Posted Sep 11, 2008 16:07 UTC (Thu) by jake (editor, #205) [Link] (6 responses)

> They're the folks who were on the site of the intrusion earliest.
> Some are red hat employees, some are not.

This seems to imply they are employees of the hosting/colo facility that Red Hat and Fedora use. If true, it is a little tidbit of information, which seem to keep dribbling out. Perhaps that is what you were trying to say on Tuesday in #fedora-board-public about Debian (or other distros) being just as susceptible to the information disclosure problem as Fedora/Red Hat currently are.

If so, beating around the bush is just causing annoyance to no good end. I recognize that you (and Fedora, perhaps even Red Hat) don't get to make those decisions, but whoever does should get an earful imo.

jake

More Equal...

Posted Sep 11, 2008 16:12 UTC (Thu) by skvidal (guest, #3094) [Link]

No, Nothing to do with the colo at all. There are fedora infrastructure people who are completely trusted and have root to the fedora systems who wer not red hat employees when they were granted access. They are employees, now, however.

Three examples of this:
- Me
- Dennis Gilmore
- Ricky Zhou

I didn't mean to confuse anything.

-sv

Same problem, different perceptions

Posted Sep 11, 2008 17:36 UTC (Thu) by quaid (guest, #26101) [Link] (4 responses)

Jake, thanks for attending the meeting and engaging in a lively discussion. I appreciate that you are trying to separate your feelings/fears/concerns as a Fedora user from your role as a reporter.

In the open public question/discussion channel, I think you showed (and identified) your personal bias that the existence of Red Hat in Fedora's affairs makes Fedora less of a community distro. Myself, other Board members, and other community members provided several examples and reasons of how the situation with Fedora and with previous distro security problems are not equivalent.

There has never been an equivalent situation to what happened to Fedora, and it has nothing to do specifically with Red Hat. Red Hat just happens to be the incorporated-in-the-US entity involved that changed the tenor of the situation. That could happen to any distro, and it does not diminish their being a "truly community distro." I think Seth's example was a great one: 

skvidal 	 lwnjake: here's an example
...
skvidal 	lwnjake: a debian server gets crack[ed]
skvidal 	lwnjake: the cracker hosts A LOT of kiddie porn
skvidal 	and terrorist documentation
...
skvidal 	the hosting provider gets a national security letter
skvidal 	debian is down and out
skvidal 	and not allowed
skvidal 	AT ALL
skvidal 	to speak about it
skvidal 	would that be a failing of debian?
lwnjake 	we can discuss scenarios all day, it doesn't change the fact that you folks can't even confirm whether you know how the intrusion occurred
skvidal 	or would it be the fact that law is different

You and others keep asking questions that people are repeatedly saying they are not able to answer. Ironically, the answer is probably staring you in the face, but if you believe "... it comes from red hat legal or at least that is the perception", you continue to look for answers that implicate an Evil Overlord.

Same problem, different perceptions

Posted Sep 11, 2008 20:16 UTC (Thu) by jake (editor, #205) [Link] (3 responses)

> I think you showed (and identified) your personal bias that the existence
> of Red Hat in Fedora's affairs makes Fedora less of a community distro.

My use of "community" was not really describing what I meant. "Independent" is a much better word and the one I used in the article. I did not mean to push the hot button that Fedora folks have (understandably) about being a "community" distribution.

> if you believe "... it comes from red hat legal or at least that is the
> perception", you continue to look for answers that implicate an Evil
> Overlord.

I, like most folks, don't know what to believe. Someone is stopping you (perhaps not you personally, but Fedora) from telling us important things like whether you know how the intrusion happened. Whoever is doing that has done a grave disservice to the reputation of Fedora and Red Hat.

You, and others, have implied that it is some kind of law enforcement agency, perhaps even a National Security Letter, that is stopping *any* information from being released. If so, one hopes that Red Hat's lawyers are busy doing whatever they can to circumvent that. Fedora and Red Hat have a responsibility to their customers and the community that is being set aside.

It's not that folks don't understand that Fedora cannot say any more than it has, it's that they fairly strongly believe that more could be said without jeopardizing whatever ongoing investigation there is. While we eventually want to know what all the hubbub is about, what we want to know *now*, nearly a month after the incident, is what, if anything, we need to be on the lookout for. If there is some unknown exploit out there, many eyes are more likely to find it than one. If there isn't, then someone should force the entity responsible to *say* so.

jake

Same problem, different perceptions

Posted Sep 11, 2008 20:38 UTC (Thu) by pr1268 (guest, #24648) [Link]

Very well said! And I'd also like to thank you, Jake, for participating in this discussion.

Even as a non-RH/Fedora user, I'm still following this whole story closely as the incident, its aftermath, and RH's/Fedora's corrective strategies all impact Free/Open Source in general.

Same problem, different perceptions

Posted Sep 11, 2008 20:51 UTC (Thu) by skvidal (guest, #3094) [Link] (1 responses)

I'll quote, again, from the announcement from 8/22:

"These efforts have also not resulted in the discovery of additional security vulnerabilities in packages provided by Fedora."

and then I'll quote from my own blog:
" Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."

Hope this helps.

Same problem, different perceptions

Posted Sep 11, 2008 21:08 UTC (Thu) by jake (editor, #205) [Link]

> "These efforts have also not resulted in the discovery of additional
> security vulnerabilities in packages provided by Fedora."

Which can be read several different ways:

- we don't know how the intrusion occurred
- we do know, but it wasn't an "additional security vulnerability" in a package that Fedora ships, which leaves packages that Fedora doesn't ship as well as known, but unpatched, vulnerabilities
- probably other interpretations depending on what the meaning of "is" is

I know you are trying to be helpful and you folks don't like this any more than I do, but after almost a month, I think we are due more than lawyer-ese like the above.

jake

More Equal...

Posted Sep 12, 2008 11:03 UTC (Fri) by russell (guest, #10458) [Link]

see my comment further down

Fedora distributes new keys

Posted Sep 11, 2008 15:03 UTC (Thu) by pjones (subscriber, #31722) [Link] (4 responses)

I think you're making a fundamentally flawed assumption about what it is to be a community. A community is a social structure in which there are relationships that vary on both a domain-specific basis and a trust related basis. In the Fedora community, the people who know the details of this issue are those who have a sufficient history in the community, and who have domain-specific reasons to be involved in the investigation.

It is only natural that many of the people whose histories with Fedora are the longest are employees of Red Hat. Thus, in a situation like this, it's true that those people are going to be the most trusted. It's not an Animal Farm scenario; there are elders, and the elders are those who are called upon for guidance and action when times are tough. That's responsibility, not exclusivity.

Fedora distributes new keys

Posted Sep 12, 2008 9:27 UTC (Fri) by russell (guest, #10458) [Link] (3 responses)

Open content is even more contentious than open source software. There is a large quantity of opposition to keeping information free. Persecution and prosecution of people who work to keep informed content free continues. Because of the danger of self-censorship in a closed or partially open format, it is safer to work entirely in the open.

This snippet of text is taken directly from the Steering Committees charter.

I have no doubt that they believe they are being responsible. But they are also being exclusive.

Time will tell if this really is an animal farm scenario. Right now it certainly feels like it.

Fedora distributes new keys

Posted Sep 13, 2008 0:29 UTC (Sat) by jspaleta (subscriber, #50639) [Link] (2 responses)

To be clear... that is a quote from the Fedora Documentation sub-project's Steering Committee Charter. And it is not a quote from the Fedora Board, nor from the Fedora Engineering Steering Committee, nor from Fedora Infrastructure.

I'm pretty sure that the Fedora Documentation Team aren't directly involved in the incident handling, so a close reading of their charter is probably unwarranted. And even if someone were to read it looking for insight, there probably very little there that can be used the context for the discussion at hand, since the documentation group isn't directly involved.

When we have an incident response plan, I'll do my best to make sure that that Documentation Group has an opportunity to be a part of the process of documenting that plan for public consumption.

-jef

Fedora distributes new keys

Posted Sep 13, 2008 6:01 UTC (Sat) by russell (guest, #10458) [Link] (1 responses)

My mistake, I thought it was the fedora steering committee charter ( documented by the Docs project ).

Doing a search for more charters showed very little else. However, when reading about the board I noticed a mailing list where some things are discussed in private. I didn't expect to see that. What sort of things would those be? This appears to be something that the Docs project wouldn't do? So what exactly are the rules of this community? Something clearing defined and easy to find would be nice if not essential for a community.

Fedora distributes new keys

Posted Sep 14, 2008 11:35 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

Legal issues for instance might be discussed by the Fedora Board in a private list. Documentation team doesn't have the need for that. The Fedora Board wiki page has the details.

Fedora distributes new keys

Posted Sep 15, 2008 2:19 UTC (Mon) by motk (subscriber, #51120) [Link]

* Bad Things occur
* Feds get called in
* Feds say "discuss this not, or else"
* Seth says "screw you, copper, community etc blah" and spills the beans
* HAPPY FUN GAOL TIME

Seth is far too pretty for the Old Nick.

I'm not seeing where this is at all contentious. As I've said before, if RH and Fedora haven't earnt some slack here, then no-one can. The flip side to 'community' is 'sound governance', so let them get on with it.


Copyright © 2008, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds