On August 22, the Fedora Project released an "infrastructure report" confirming what most observers had, by then, suspected: the project had suffered a major security breach. The attacker got as far as a system used to sign packages distributed by Fedora. That, of course, is something close to a worst-case scenario: if an intruder has control over such a system, it's a relatively small step to capture the package signing key and the passphrase used to employ that key.