"Last week we discovered that some Fedora servers were illegally accessed," Fedora project manager Paul Frields announced Friday in a statement to the development community. "The intrusion into the servers was quickly discovered, and the servers were taken offline."

The unidentified intruder, the company said, was able to sign some OpenSSH packages only for Red Hat Enterprise Linux 4 (i386 and x86_64 architectures) and Red Hat Enterprise Linux 5 (x86_64 architecture). However, as a precaution, the company is releasing updates for these packages and has released a list of the tampered packages and how to detect them.

The company, however, is taking no chances, Frields assured developers. "While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys," Frields stated, noting that it may require cooperation from "every Fedora system owner or administrator" to take prescribed steps to restore security to Fedora.

Since the initial announcement, Frields commented that his programming team has been working hard to restore services in the Fedora infrastructure. "We started with what we identified as Fedora's 'critical path,' those systems required to restore minimum daily operation...to be completely finished by the end of the day. We then move on to our other value services to complete them as soon as possible."

On Monday, Red Hat release engineer Dennis Gilmore announced that "effective immediately we have replaced the CA that is in use for cvs.fedoraproject.org and koji.fedoraproject.org. This effects uploading to lookaside cache and building packages."

The open-source developer has garnered some anger from bloggers including Ryan Naraine who lambasted Red Hat's vague and delayed warning on ZDNet security blog Zero Day.