Ceph Signing Key and Binary Downloads
It was discovered that Ceph community sites were compromised. Ceph verified the upstream source that is distributed via http://download.ceph.com/tarballs/ is safe. Ubuntu verified that the source tarballs used in the Ubuntu archive match the verified safe upstream versions. People using ceph packages from the official Ubuntu repositories are not affected.
Those using debs downloaded from Ceph's affected community sites are affected and you should update your APT keys and packages as per Ceph's announcement.
Timeline
- 2015 Sep 09: Ubuntu first became aware of the issue
2015 Sep 17: Ceph announces issue to the public