The enterprise Linux software vendor referred to the incident on Aug. 14 as "an issue in the infrastructure systems," and Fedora users have been speculating since about what prompted the serious tone of that notice.
Fedora project manager Paul Frields is urging Fedora users not to try to download the Fedora operating system or update packages until Red Hat gives the all clear. He said administrators and security specialists are working to clear up the incident and reinstall the Fedora systems.
"The intrusion into the servers was quickly discovered, and the servers were taken offline. ... One of the compromised Fedora servers was a system used for signing Fedora packages," Frields announced eight days after he first warned users of an infrastructure issue.
Frields posted a notice Friday on the project's Infrastructure report Web page that Red Hat planned to institute a new pass phrase for the signing server. The pass phrase is used to secure the package signing key, which allows the server to assign a digital signature indicating a download comes from a Red Hat Fedora server and not an imposter.
"We have high confidence that the intruder was not able to capture the pass phrase used to secure the Fedora package signing key," Frields wrote. If the pass phrase unknowingly fell into the wrong hands, it could be used to vouch for the authenticity of bogus downloads.
Frields said "there is no definitive evidence that the Fedora key has been compromised," but Red Hat is changing to new signing keys anyway, he said in the posting. "The pass phrase was not used during the time of the intrusion on the system and the pass phrase is not stored on any of the Fedora servers," Frields wrote.
The Aug. 14 warning not to update Fedora systems "was based on an abundance of caution, out of respect for our users," he added.
Fedora is the frequently updated or "experimental" version of Red Hat Linux that is often far ahead of Red Hat's Enterprise Linux version. A community of contributors and users are part of the Fedora project and they like to frequently update the many packages of code that make up their full Linux distribution.
Changing the signing key is an extreme precaution. Such a move "may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps," Frields wrote. Red Hat spokesmen were not able to elaborate on what the steps might be.
Red Hat administrators emphasized that the Fedora project download servers were separate from Red Hat business systems and Red Hat Enterprise Linux.
"The Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages," according to a message sent to all Red Hat Enterprise Linux users.
Red Hat has been checking the integrity of Fedora code on its download servers and found it intact. Users with previously downloaded packages will be exposed to "little risk" if they decide to go ahead and install them, Frields' posting said.
In a related note, InformationWeek has published its 2008 Strategic Security Survey. The report can be downloaded here (registration required).