l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2008 Aug 25 14:41

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Fwd: Re: Heads up for Fedora users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Fwd: Re: Heads up for Fedora users

Seen on NBLUG, FYI:

----- Forwarded message from Dave Sisley -----

Date: Fri, 22 Aug 2008 08:49:13 -0700
From: Dave Sisley
Subject: Re: [NBLUG/talk] Heads up for Fedora users
To: "General NBLUG chatter about anything Linux, answers to questions,
	etc." <talk@nblug.org>

Jack Smith wrote:
> Has anyone heard anything more about this?
I too was spooked by the previous messages, and I've been putting off 
any upgrades until I heard it was safe.  It looks like it's okay to 
update now.

I just poked thru the message boards, and the latest posting at the 
fedora-announce-list in the previously cited thread was put up today:


... and includes the following quote:

Our previous warnings against further package updates were based on an
abundance of caution, out of respect for our users. This is also why we
are proceeding with plans to change the Fedora package signing key. We
have already started planning and implementing other additional
safeguards for the future. At this time we are confident there is little
risk to Fedora users who wish to install or upgrade signed Fedora


I use yum, and I've double-checked to make sure that the conf file 
(/etc/yum.conf) has pgpcheck turned on (pgpcheck=1);  I have been known 
to turn it off (to zero) in order to install an unsigned rpm with yum.

So if I read the latest message correctly, Fedora is saying a server of 
theirs was compromised, but they are confident that the packages offered 
are not affected.  To be super-safe, they are changing the pgp keys in 
the chance that the originals were compromised. 

I just tried running 'yum update' to see what was currently available, 
planning to pick something minor to see if it would update, but there's 
'No Packages marked for Update'.  My last update was on the 15th.  I'm 
running an update now on a not-heavily used work box that hadn't been 
updated since May.  I will post if there's an obvious problem with the 

I'd appreciate anyone with a better understanding than mine of the 
issues involved taking a look at the post and offering their take.


> On Fri, Aug 15, 2008 at 12:34 PM, Jack Smith wrote:
>     OK, rereading "don't download or update any additional packages"
>     seems to mean everything.  Drat.
>     On Fri, Aug 15, 2008 at 12:19 PM, Jack Smith wrote:
>         Do they mean "don't update anything", "don't update Fedora",
>         or we don't know yet?
>         On Fri, Aug 15, 2008 at 9:30 AM, Scott Doty wrote:
>             Word on the street (and in #fedora on Freenode) is:  DON'T
>             UPDATE.
>             https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html
>             It may be coincidence, but there was just a change to
>             package permissions'
>             policy:
>             https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00007.html
>             ...hoping to hear soon what the deal is..
>              -Scott
>         -- 
>         Jack Smith
>         English doesn't borrow from other languages -- English follows
>         other languages down dark alleys and takes what it wants.
>     -- 
>     Jack Smith
>     English doesn't borrow from other languages -- English follows
>     other languages down dark alleys and takes what it wants.
> -- 
> Jack Smith
> English doesn't borrow from other languages -- English follows other 
> languages down dark alleys and takes what it wants.

Dave Sisley

----- End forwarded message -----

"Tux Paint" - free children's drawing software for Windows / Mac OS X / Linux!
Download it today!  http://www.tuxpaint.org/
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.