Re: Debian contributor Register of Interests

2017-05-15 Thread Paul Wise 
On Tue, May 9, 2017 at 4:16 PM, Jonathan Dowland wrote:

> From time to time (usually during flamewars) the issue of potential conflicts
> of interests sometimes comes up in various places in our around our community.

Today while moderating screenshots.d.n I found what I consider to be a
conflict of interest. Someone uploaded a photograph of a screen
running a Debian package, with the logo of their employer printed on
the area surrounding the screen and the camera angled to include both
the screen and the logo. Since this was plainly advertising I've
rejected the screenshot. Subsequently I thought to search my mail for
this company and was surprised at the result. Consequently I contacted
the person I assume uploaded the screenshot and asked them to resubmit
without the logo.

I'm not sure if this register of interests helps or not but I hope the
Debian community will do better than the above in future.

Perhaps what we need is a a culture of awareness of our own personal
potential conflicts of interest and guidelines for disclosure (where
relevant) and examples of conduct that is not appropriate.

Personally, I disclose in the Sponsors section of my activity blog
posts which aspects of my involvement in FLOSS were influenced by
employers. I usually mention in bug reports when I've filed a bug
because of issues experienced by employers. I haven't mentioned
employers in commit logs or debian/changelog though.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: should debian comment about the recent 'ransomware' malware.

2017-05-15 Thread Russ Allbery 
shirish शिरीष  writes:

> while it was primarily targeted towards Windows machines, maybe we
> could tailor a response which shows how Debian is more secure and
> possibilities of such infections are low/non-existent .

I don't believe such a statement would be factually correct, so no, we
shouldn't make it.

This ransomware used a government-developed exploit that was patched by
Microsoft a month before the malware was released (only because someone
did the right thing and gave them a private heads-up), and gets a toehold
via phishing.  There is absolutely nothing about Debian that would prevent
exactly the same thing from happening to us; the reason why it doesn't is
quite simply because Debian is much less widely used than Windows, and in
particular has less penetration into markets that run obsolete operating
systems on "cannot patch" systems using older and very insecure protocols.
Which is extremely common in the health care industry.

This is not a case where Microsoft did something clearly wrong, or even
differently than we would have done, or where free software would have
helped significantly.  (Maybe if the whole SMB stack were free software
this bug would have been discovered sooner, but quite possibly not; the
free software world certainly has many security bugs that have gone
undiscovered for ten years or more.)

I'm extremely proud of Debian's security team, and we're often quickest to
patch among major Linux distributions.  Our security team does amazing
work.  But nothing a distribution or OS vendor can do can help with
unpatched systems, or against government-funded adversaries that hoard
unreleased zero-day vulnerabilities and exploit tools.  Those are very
hard problems, and we should not mistake our lack of *incidents* from
having a smaller and differently-focused user base for a lack of
*vulnerability*.

The entire computer industry is vulnerable to attacks like this, and
Debian is absolutely not an exception.

-- 
Russ Allbery (r...@debian.org)

Re: should debian comment about the recent 'ransomware' malware.

2017-05-15 Thread Chris Lamb 
shirish शिरीष wrote:

> maybe we could tailor a response which shows how Debian is more
> secure and possibilities of such infections are low/non-existent

Given that it is causing serious problems to healthcare provisioning
it would be in poor taste to attempt to capitalise on the situation
so soon.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: should debian comment about the recent 'ransomware' malware.

2017-05-15 Thread Charles Plessy 
Le Tue, May 16, 2017 at 03:59:18AM +0530, shirish शिरीष a écrit :
> 
> I was looking at p.d.o. but much to my disappointment nobody had
> discussed the newest 'wannacry' ransomware there.

> while it was primarily targeted towards Windows machines, maybe we
> could tailor a response which shows how Debian is more secure and
> possibilities of such infections are low/non-existent .

Hi Sirish,

Actually, if there were a large enough number of users still running
Squeeze or earlier versions, for which there is no official nor [LTS
security support](https://wiki.debian.org/LTS), the same could happen to
Debian.  Thus, if there were a response from Debian to the ransomware
attack, it could be a reminder that it is true for Debian as well that
old systems must be upgraded or at least very thoroughly isolated.

But I think that it would more fit a blog article than an official news
release (after all, we will call for updates soon with the next Stable
release).  So... feel free to blog on the topic :)

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

should debian comment about the recent 'ransomware' malware.

2017-05-15 Thread shirish शिरीष 
Dear all,

I was looking at p.d.o. but much to my disappointment nobody had
discussed the newest 'wannacry' ransomware there.

I then looked at few articles from the web -

http://www.timesnow.tv/india/article/wannacry-ransomware-cert-in-india-cyber-security/61046

http://money.cnn.com/2017/05/13/technology/ransomware-attack-protect-yourself/

http://www.deccanchronicle.com/technology/in-other-news/130517/global-ransomware-attack-what-is-it-how-did-it-spread-and-how-to-prevent-it.html

while it was primarily targeted towards Windows machines, maybe we
could tailor a response which shows how Debian is more secure and
possibilities of such infections are low/non-existent .
-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Re: Debian contributor Register of Interests

2017-05-15 Thread Tollef Fog Heen 
]] Ian Jackson 

> Tollef Fog Heen writes ("Re: Debian contributor Register of Interests"):
> > Indeed.  I also think there's a hang-up about financial conflicts of
> > interest in the discussion, but for at least me (and I suspect others),
> > money is a pretty weak motivator.  I generally have enough that it's
> > something I don't need to spend much mental energy on.
> 
> That makes sense.
> 
> But these things can change.  If you don't have enough money then it
> can be a very powerful motivator.  Worry about (say) losing one's job
> can be pretty significant.  For me, being employed to work on free
> software means an inevitable tension between the interests of my
> employer, and my own views.  Indeed such difficulties contributed to
> my need to depart from Canonical.

Absolutely, I'm not saying they can't be, just that they're not that
powerful motivators for everyone (and while I don't have data about it,
I know that IT generally pays ok to well, and the importance of money
goes down as you get more, so it's a reasonable conclusion).

> From Debian's point of view: I think that anyone who takes prolonged
> employment with an organisation which takes an active interest in
> their Debian work, to the extent of taking an interest in what they
> say about Debian and Free Software, ought to declare that.

My employer pays for me to go speak at Debconf.  I'm not sure if that
passes that bar or not.  (I've declared who they are in the context of
the CTTE, which I think is in a somewhat special situation when it comes
to being very clear about conflicts of interest.)

> >  An example of what I do think could cause conflicts of interest is
> > where I'm part of some community (free software or not) and my
> > interest is in ensuring I have a good standing or status in that
> > community and this colours judgements I make in Debian.
> 
> Most of the communities like that I am part of, are either
> sufficiently remote from software that they wouldn't care, or are
> themselves technology projects.
> 
> In the latter case, most of the information is already public.  It
> would be impractical and pointless to ask everyone to collate it.

Isn't that what the wiki page is about?  Else, you're saying I should
put nothing on there, since it's all public already.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Re: Debian contributor Register of Interests

2017-05-15 Thread Ian Jackson 
Tollef Fog Heen writes ("Re: Debian contributor Register of Interests"):
> Indeed.  I also think there's a hang-up about financial conflicts of
> interest in the discussion, but for at least me (and I suspect others),
> money is a pretty weak motivator.  I generally have enough that it's
> something I don't need to spend much mental energy on.

That makes sense.

But these things can change.  If you don't have enough money then it
can be a very powerful motivator.  Worry about (say) losing one's job
can be pretty significant.  For me, being employed to work on free
software means an inevitable tension between the interests of my
employer, and my own views.  Indeed such difficulties contributed to
my need to depart from Canonical.

>From Debian's point of view: I think that anyone who takes prolonged
employment with an organisation which takes an active interest in
their Debian work, to the extent of taking an interest in what they
say about Debian and Free Software, ought to declare that.

Contracting is a bit different.  I wouldn't expect a contractor to
declare the names of all their clients.  OTOH if a client's scenario
motivated a particular software change, I would expect that to be
mentioned even if the name of the client is not.

The main reasons why money is different seem to me to be:

 * Money-related situations often involve significant power imbalances
   where the individual is subject to the opinions of a payer.

 * Money-related interactions are often kept secret.

>  An example of what I do think could cause conflicts of interest is
> where I'm part of some community (free software or not) and my
> interest is in ensuring I have a good standing or status in that
> community and this colours judgements I make in Debian.

Most of the communities like that I am part of, are either
sufficiently remote from software that they wouldn't care, or are
themselves technology projects.

In the latter case, most of the information is already public.  It
would be impractical and pointless to ask everyone to collate it.

I don't intend to declare my membership of political pressure groups
etc., unless I get appointed to lead one or made a political party's
election candidate, or something.  But those folks don't really have
an opinion about my Free Software work.

That I'm a GNU maintainer, upstream for various other programs, the
operator of chiark, and so on, is all public anyway.  A register of
interests ought not to be a list of everyone's software projects, nor
of all of their hobbies.

Ian.

-- 
Ian Jackson    These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.