Recent rumors were confirmed today by a post to the Fedora Infrastructure mailinglist: some of Fedora’s core servers were hacked.
One of the compromised Fedora servers was a system used for signing
Fedora packages. However, based on our efforts, we have high confidence
that the intruder was not able to capture the passphrase used to secure
the Fedora package signing key. Based on our review to date, the
passphrase was not used during the time of the intrusion on the system
and the passphrase is not stored on any of the Fedora servers.
So, to summarize, a breach was detected but no harm appears to have been done. Which is good news, and just keeps us wondering whether or not the way the servers were hacked has actually been located.
Whether related or not, there has also been an intrusion in Redhat’s systems. This looks like it’s they have gotten a bit further:
In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
If you look a bit further than the reassuring language, it’s actually pretty scary. The intruder was able to sign some packages: that suggests to me that whoever was accessing Redhat’s systems has been actively working with the Redhat packaging system and has gained access to the keys used to sign these packaged. As with the fedora news, this leaves me a bit puzzled. I hope that some more details will be forthcoming.