Scott Ehrlich wrote:

What exactly does the announcement mean to the CentOS community?

This is not an easy answer.

From what point in the past to what point present/future should the user community be concerned?

This happened currently. And as far as we can say now it only concerned our CMS (xoops in this case). And even there we are fairly sure that nothing has happened - resetting all passwords was a measure to make sure that *if* we had a compromised account, the attacker wouldn't be able to use the same password.

Once you find the final culprit, how sure will you be whether any issue is/was malicious vs benign?

I do not understand that question.

Do you perform regular server checksums to compare what _might_ have changed (i.e. tripwire, etc)?

There are measures in place to provide at least a certain level of security - which is hard in case of a CMS where other people have logins.

What is the level and mitigation of damage control - current and future?

What are you trying to get at? This issue *only* concerned our web server. None of the machines actually "doing" the distribution are even reachable by that machine.

What additional specifics can we learn from you - from safe/tainted media checksum files to ISO media itself? From keeping machines up and running to needing a fresh install?

As said before: None of the machines which are used for composing the distribution are touched by this issue. These machines are not reachable by the outside - and you always have signed packages.

Could the same thing happen, or did it, with the upstream provider, or is it limited to the CentOS community?

We don't know. But as upstream does not use xoops, they probably did not have that issue. Both sites being down was a coincidence.

The only machine which had a problem was the web server. And even there we are fairly sure by now that the machine was not misused.

Ralph