Malicious applications on RedHat servers were signed by a compromised key on the Ceph infrastructure and it's public-facing counterpart Inktank
Unknown at the time of the writing, yet no signs of clear compromise are available.
The development platform ceph was compromised, as well as its signing gpg key. The public facing component Inktank was also compromised.