Re: non-disclosure of infrastructure problem a management issue?
Bjoern Tore Sund venit, vidit, dixit 21.08.2008 11:04: > It has now been a full week since the first announcement that Fedora had > "infrastructure problems" and to stop updating systems. Since then there > has been two updates to the announcement, none of which have modified the > "don't update" advice and noen of which has been specific as to the exact > nature of the problems. At one point we received a list of servers, but > not services, which were back up and running. > > The University of Bergen has 500 linux clients running Fedora. We > average one reinstall/fresh install per day, often doing quite a lot > more. Installs and reinstalls has had to stop completely, nightly updates > have stopped, and until the nature of the problem is revealed we don't > even know for certain whether it is safe for our IT staff to type admin > passwords to our (RHEL-based, for the most part) servers from these work > stations. > > Sometimes unfortunate events happen beyond anyone's control. We > understand this as well as anyone. We trust the assurances that the > infrastructure team is working hard on resolving the matter and are > greatful to them for the job they do. So far nothing that has happened > with this issue has reflected poorly on them. > > Sadly, the same cannot be said about the Management of the Fedora > project. Their choice of complete non-disclosure is enough to eradicate > any and all confidence that Fedora is a trustworthy platform for Linux > installations. What information they have released has been deliberately > vague and, frankly, useless. For a day or two to secure things this may > be a workable strategy. For a full week, not giving the community > participants any chance whatsoever to protect themselves from threats > indicated but not specified? This is poor management and poor judgement > and reflects very badly not only on the Fedora project but on Fedora's > RedHat sponsor as well. The issue is more than serious enough and has > gone on for more than long enough that someone higher up the scale should > have stepped in a long time ago and made sure that all relevant info was > released to the community. > > We strongly encourage both the Fedora management and RedHat as a Fedora > sponsor to immediately release any and all information relating to the > current infrastructure problems. > > Regards, > > -BT, linux client architect, University of Bergen Well spoken. I would like to add that several actions have further decreased my confidence in the decision process: - A website was put up with a number of new ssh fingerprints we are supposed to trust. - We were asked by fedoraproject (via e-mail) to reset our passwords and reupload keys, even with a 14 days deadline. If there is an issue severe enough which warrants stopping updates (which indicates that rpm signing keys have been compromised) why should we trust those fingerprints and servers? Michael -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
> If there is an issue severe enough which warrants stopping updates > (which indicates that rpm signing keys have been compromised) why should > we trust those fingerprints and servers? Because you have no other basis of trust at all if you don't believe the master keys ? Or you set up a new infrastructure and create the 'provisional fedora project' or whatever. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Alan Cox venit, vidit, dixit 21.08.2008 14:56: >> If there is an issue severe enough which warrants stopping updates >> (which indicates that rpm signing keys have been compromised) why >> should we trust those fingerprints and servers? > > Because you have no other basis of trust at all if you don't believe > the master keys ? Exactly this is how I came to trust e.g. the rpm signing keys in the first place: there was no other basis but to trust the master keys in a "no news is good news" situation where everybody trusted them and no problems arose. Now there is news - seemingly bad news - and there are problems. Trust is easily lost but hard to restore. Debian folks can tell you... > Or you set up a new infrastructure and create the 'provisional fedora > project' or whatever. Don't trust me! ;) Michael -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
2008/8/21 Bjoern Tore Sund <[EMAIL PROTECTED]>: > It has now been a full week since the first announcement that Fedora had > "infrastructure problems" and to stop updating systems. Since then there > has been two updates to the announcement, none of which have modified the > "don't update" advice and noen of which has been specific as to the exact > nature of the problems. At one point we received a list of servers, but not > services, which were back up and running. > > The University of Bergen has 500 linux clients running Fedora. We average > one reinstall/fresh install per day, often doing quite a lot more. Installs > and reinstalls has had to stop completely, nightly updates have stopped, and > until the nature of the problem is revealed we don't even know for certain > whether it is safe for our IT staff to type admin passwords to our > (RHEL-based, for the most part) servers from these work stations. > > Sometimes unfortunate events happen beyond anyone's control. We understand > this as well as anyone. We trust the assurances that the infrastructure > team is working hard on resolving the matter and are greatful to them for > the job they do. So far nothing that has happened with this issue has > reflected poorly on them. > > Sadly, the same cannot be said about the Management of the Fedora project. > Their choice of complete non-disclosure is enough to eradicate any and all > confidence that Fedora is a trustworthy platform for Linux installations. > What information they have released has been deliberately vague and, > frankly, useless. For a day or two to secure things this may be a workable > strategy. For a full week, not giving the community participants any chance > whatsoever to protect themselves from threats indicated but not specified? > This is poor management and poor judgement and reflects very badly not only > on the Fedora project but on Fedora's RedHat sponsor as well. The issue is > more than serious enough and has gone on for more than long enough that > someone higher up the scale should have stepped in a long time ago and made > sure that all relevant info was released to the community. > > We strongly encourage both the Fedora management and RedHat as a Fedora > sponsor to immediately release any and all information relating to the > current infrastructure problems. I suspect that if you really want a response to this, you'll need to send it to the fedora-advisory-board http://www.redhat.com/mailman/listinfo/fedora-advisory-board Jonathan. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Bjoern Tore Sund wrote: It has now been a full week since the first announcement that Fedora had "infrastructure problems" and to stop updating systems. Since then there has been two updates to the announcement, none of which have modified the "don't update" advice and noen of which has been specific as to the exact nature of the problems. At one point we received a list of servers, but not services, which were back up and running. The University of Bergen has 500 linux clients running Fedora. We average one reinstall/fresh install per day, often doing quite a lot more. Installs and reinstalls has had to stop completely, nightly updates have stopped, and until the nature of the problem is revealed we don't even know for certain whether it is safe for our IT staff to type admin passwords to our (RHEL-based, for the most part) servers from these work stations. Sometimes unfortunate events happen beyond anyone's control. We understand this as well as anyone. We trust the assurances that the infrastructure team is working hard on resolving http://www.google.co.nz/the matter and are greatful to them for the job they do. So far nothing that has happened with this issue has reflected poorly on them. Sadly, the same cannot be said about the Management of the Fedora project. Their choice of complete non-disclosure is enough to eradicate any and all confidence that Fedora is a trustworthy platform for Linux installations. What information they have released has been deliberately vague and, frankly, useless. For a day or two to secure things this may be a workable strategy. For a full week, not giving the community participants any chance whatsoever to protect themselves from threats indicated but not specified? This is poor management and poor judgement and reflects very badly not only on the Fedora project but on Fedora's RedHat sponsor as well. The issue is more than serious enough and has gone on for more than long enough that someone higher up the scale should have stepped in a long time ago and made sure that all relevant info was released to the community. We strongly encourage both the Fedora management and RedHat as a Fedora sponsor to immediately release any and all information relating to the current infrastructure problems. Regards, -BT, linux client architect, University of Bergen Hi, I work in an environment very similar to yours a University in New Zealand. And while I understand your frustration and agree that this situation and the communication surrounding it have been managed poorly I will say that we as administrators can not blame Fedora if we make their infrastructure to critical to our own systems. For example we can make our own local repositories and we can control / test updates to try and minimize the risks from events such as this. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: > Bjoern Tore Sund wrote: >> It has now been a full week since the first announcement that Fedora >> had "infrastructure problems" and to stop updating systems. > > Hi, I work in an environment very similar to yours a University in New > Zealand. And while I understand your frustration and agree that this > situation and the communication surrounding it have been managed poorly > I will say that we as administrators can not blame Fedora if we make > their infrastructure to critical to our own systems. For example we can > make our own local repositories and we can control / test updates to try > and minimize the risks from events such as this. Just guessing, This smells like a hacker was detected or a hack was discovered. As readers of this list will note the historic resolution for a hacked system has been to do a full reload which takes time. Ssh key management may also be at issue given the key generation flaw known as the Debian SSH key attacks. In some cases a key can be recovered in 20 min... In this case the issue might be poor keys generated outside of RH and not a flaw in RH process or tools. If it had been a blown disk farm we would have more info already. The more I read about the SSH key attacks the more convinced I am that there is a need to update my set of keys for me and my systems. In time they will tell. -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote: > Just guessing, > > This smells like a hacker was detected or a hack was discovered. > As readers of this list will note the historic resolution for a > hacked system has been to do a full reload which takes time. > > Ssh key management may also be at issue given the key generation flaw known > as the Debian SSH key attacks. In some cases a key can be recovered in > 20 min... In this case the issue might be poor keys generated outside > of RH and not a flaw in RH process or tools. > > If it had been a blown disk farm we would have more info already. > > The more I read about the SSH key attacks the more convinced > I am that there is a need to update my set of keys for me and my systems. > > In time they will tell. Today's announcement is pretty clear. There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. All the evidence is that the key passphrase was not successfully hacked, so it's unlikely that we have any corrupt packages if we only accept signed ones. New signatures are to play safe, and it is now safe to resume normal working practices. I still think that the very low-volume announce list is essential for all Fedora users. Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anne Wilson wrote: > On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote: >> Just guessing, >> >> This smells like a hacker was detected or a hack was discovered. >> As readers of this list will note the historic resolution for a >> hacked system has been to do a full reload which takes time. >> >> Ssh key management may also be at issue given the key generation flaw known >> as the Debian SSH key attacks. In some cases a key can be recovered in >> 20 min... In this case the issue might be poor keys generated outside >> of RH and not a flaw in RH process or tools. >> >> If it had been a blown disk farm we would have more info already. >> >> The more I read about the SSH key attacks the more convinced >> I am that there is a need to update my set of keys for me and my systems. >> >> In time they will tell. > > Today's announcement is pretty clear. There was an intrusion, and it affected > the server which signs packages, hence the warning to hold off until tests > had been done. All the evidence is that the key passphrase was not > successfully hacked, so it's unlikely that we have any corrupt packages if we > only accept signed ones. New signatures are to play safe, and it is now safe > to resume normal working practices. > > I still think that the very low-volume announce list is essential for all > Fedora users. At the very least it should be suggested, recommended, or maybe an 'auto signup' when signing up for any other of the 'public type' lists. For them, the newer users, because it is important. Those of us with experience know, or should know, enough to do that. It is very low volume list so even those with 'limits' should see the value. Perhaps an 'opt-out' to avoid the 'you are forcing me' whines but then the 'I didn't know' whines should stop because of the 'opt-out'. Those that opt-out, and whine, should be ignored. ;-) - -- David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiu6+0ACgkQAO0wNI1X4QGKOQCgsmU7E9k59W2oE2GGMlFIJeZV yH0AmQH2R9cQj22OUGgRfbw7J9D+Hd69 =AQyj -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: > There was an intrusion, and it affected the server which signs > packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. Sure, they didn't want to play their hand, but the hacker would have known they'd been rumbled by the first announcement. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 02:11:31AM +0930, Tim wrote: > On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: > > There was an intrusion, and it affected the server which signs > > packages, hence the warning to hold off until tests had been done. > > They really should have said something more like that, first off. Sure, > they didn't want to play their hand, but the hacker would have known > they'd been rumbled by the first announcement. > Yes the specific hacker would have but how that hacker hacked their way in would not have been obvious to RH and perhaps the hacker community. I am very pleased with the way RH acted and how quickly they slammed the door shut. -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: > Bjoern Tore Sund wrote: >> It has now been a full week since the first announcement that Fedora >> had "infrastructure problems" and to stop updating systems. Since >> then there has been two updates to the announcement, none of which >> have modified the "don't update" advice and noen of which has been >> specific as to the exact nature of the problems. At one point we >> received a list of servers, but not services, which were back up and >> running. >> >> The University of Bergen has 500 linux clients running Fedora. We >> average one reinstall/fresh install per day, often doing quite a lot >> more. Installs and reinstalls has had to stop completely, nightly >> updates have stopped, and until the nature of the problem is revealed >> we don't even know for certain whether it is safe for our IT staff to >> type admin passwords to our (RHEL-based, for the most part) servers >> from these work stations. With 500 clients ? Are you pulling updated from the internet or are you pulling from a local cache of "tested" updates. Are you using site specific kickstart config files that install local yum config files, ssh keys, sendmail setup and sudo config files so your admins can access the hosts without typing pass words? What revision control of the config files? I can see that the lack of updates would prove disconcerting but the inability to maintain day to day, another one just like yesterdays install seems fragile. In business school there is a strategy of "owning your own dependencies". The long term success stories in business include strong control of resources that they depend on. It is possible to manage yum and friends to allow only update packages resigned by your group at Bergan after testing them. My last question -- what is the University of Bergin's written policy for this type and other risks. Does university policy mandate the disclosure that you expect from RedHat. In possible defense of RH does anyone know what restrictions the US Department of Homeland Security might impose? If I was RH I would have promptly called in the authorities. Then with the conflict between Georgia and Russia catching headlines who knows how cautious and SLOW RH+DHS+FBI were. I do not expect an answer.and just because some are paranoid, RH did get hacked -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Friday 22 August 2008 17:41:31 Tim wrote: > On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: > > There was an intrusion, and it affected the server which signs > > packages, hence the warning to hold off until tests had been done. > > They really should have said something more like that, first off. Sure, > they didn't want to play their hand, but the hacker would have known > they'd been rumbled by the first announcement. > But think what fun the FUD-spreaders would have missed :-) Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
fredagen den 22 augusti 2008 skrev Tim: > On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: > > There was an intrusion, and it affected the server which signs > > packages, hence the warning to hold off until tests had been done. > > They really should have said something more like that, first off. I agree. I can't see any reason why they couldn't have said the following a week ago: "We suspect that some Fedora servers may have been illegally accessed. We are working to analyze the intrusion and the extent of the compromise. Right now we can't rule out the possibility that there may be tampered packages on the mirrors, so as a precaution we recommend you not download or update any additional packages on your Fedora systems. The investigation may result in service outages, for which we apologize in advance." Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: fredagen den 22 augusti 2008 skrev Tim: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. I agree. I can't see any reason why they couldn't have said the following a week ago: "We suspect that some Fedora servers may have been illegally accessed. We are working to analyze the intrusion and the extent of the compromise. Right now we can't rule out the possibility that there may be tampered packages on the mirrors, so as a precaution we recommend you not download or update any additional packages on your Fedora systems. The investigation may result in service outages, for which we apologize in advance." https://www.redhat.com/archives/fedora-advisory-board/2008-August/msg00088.html Rahul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
2008/8/22 Björn Persson <[EMAIL PROTECTED]>: > fredagen den 22 augusti 2008 skrev Tim: >> On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: >> > There was an intrusion, and it affected the server which signs >> > packages, hence the warning to hold off until tests had been done. >> >> They really should have said something more like that, first off. > > I agree. I can't see any reason why they couldn't have said the following a > week ago: Legal issues? the word was used in the first sentence. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, Aug 22, 2008 at 11:40 AM, David <[EMAIL PROTECTED]> wrote: > At the very least it should be suggested, recommended, or maybe an > 'auto signup' when signing up for any other of the 'public type' lists. > For them, the newer users, because it is important. Those of us with > experience know, or should know, enough to do that. > It is suggested... on the communication page.. one click from the fedoraproject home page. All the lists are public. All of them are archived. How is it so important that Fedora must do it for everyone, but people can't do it for themselves? Why must I be subjected to something that I don't want (if that's the case) instead of you getting to choose what you do want? You all make it sound like the fedora announce list was some secret list, or that there were no expectations that there would be important announcements about fedora on the fedora-announce-list. I find this deeply irrational and it frustrates me trying to understand this position some of you have taken. Not only is it on http://fedoraproject.org/wiki/Communicate#User_Mailing_Lists, it's the first one listed (due to alphabetical order) -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Rahul Sundaram wrote: > https://www.redhat.com/archives/fedora-advisory-board/2008-August/msg00088. >html "Interfering with an investigation"? Bullshit! I suppose it's also illegal to stop the intruder until the investigation is done, then? You have to let him continue causing damage, reading your secrets and covering his tracks, because if you stop him he'll know he's been discovered and then you've interfered with the investigation, right? I knew the legal system in the USA was crazy but I really didn't think it was *that* insane. When you discover an intrusion, the *first* thing you should do is yank the network cable out. An inevitable side effect of this is that the intruder finds out that he's been discovered. Warning others who may also be affected doesn't help the intruder get away better when he already knows he's been discovered. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Arthur Pemberton wrote: > 2008/8/22 Björn Persson <[EMAIL PROTECTED]>: > > I agree. I can't see any reason why they couldn't have said the following > > a week ago: > > Legal issues? the word was used in the first sentence. The first sentence in the first announcement was "The Fedora Infrastructure team is currently investigating an issue in the infrastructure systems.". The word "legal" does not occur in that sentence so I have to assume that the word you refer to is "issue". That's a word with many meanings: http://dictionary.reference.com/browse/issue None of those meanings convey to me the idea that "we're prohibited by law from telling you what kind of problem this is". "An issue in the infrastructure systems" sounds like a *technical* problem to me. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: Rahul Sundaram wrote: https://www.redhat.com/archives/fedora-advisory-board/2008-August/msg00088. html "Interfering with an investigation"? Bullshit! You seemed to have missed out the details in front "If you've ever been involved in a security investigation, you already know that facts emerge over time. With every disclosure there's a risk of getting those facts wrong, or having to issue retractions. Disclosure at an inappropriate time gives people the mistaken impression one is not being truthful, when that's not the case. The disclosures we've made up to and including this point have been factual, in the interest of protecting the security of our millions of users, and in the further interest of allowing proper investigation and analysis of an ongoing matter. As I stated in the announcement, I'll continue to provide information as it becomes available." Rahul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Am Samstag, den 23.08.2008, 01:00 +0200 schrieb Björn Persson: > fredagen den 22 augusti 2008 skrev Tim: > > On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: > > > There was an intrusion, and it affected the server which signs > > > packages, hence the warning to hold off until tests had been done. > > > > They really should have said something more like that, first off. > > I agree. I can't see any reason why they couldn't have said the following a > week ago: > > ".." Beeing honest you might concede that there is not "one best single solution" in such an event. There are several possibilities with their own pros and cons. But you have to make a decission immediately, perhaps without properly knowing all the details you would wish to know. I think Fedora and RH made reasonable decisions. Peter -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, 2008-08-23 at 07:24 +0530, Rahul Sundaram wrote: > "If you've ever been involved in a security investigation, you already > know that facts emerge over time. With every disclosure there's a > risk of getting those facts wrong, or having to issue retractions. > Disclosure at an inappropriate time gives people the mistaken > impression one is not being truthful, when that's not the case. > > The disclosures we've made up to and including this point have been > factual, in the interest of protecting the security of our millions of > users, and in the further interest of allowing proper investigation > and analysis of an ongoing matter. I still don't see why they couldn't have said that it would be *unsafe* to install packages, without saying specifically why. As opposed to them wording it as if there were just unreliable services. The original posting just seems to suggest that the services may be wonky. It also makes one think they they ought to (a) off-line the source servers, *and* (b) have some way to make the mirrors go off-line, too, with some form of "prolonged downtime expected" error message. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 05:38:02PM +0930, Tim wrote: > On Sat, 2008-08-23 at 07:24 +0530, Rahul Sundaram wrote: > I still don't see why they couldn't have said that it would be *unsafe* > to install packages, without saying specifically why. As opposed to You still don't see because you don't want to. The first message... https://www.redhat.com/archives/fedora-announce-list/2008-August/msg8.html ... said: We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems. This spells "*unsafe* to install packages, without saying specifically why" to me, what about you? :) Rui -- Pzat! Today is Setting Orange, the 16th day of Bureaucracy in the YOLD 3174 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Rahul Sundaram quoted Paul W. Frields: > "If you've ever been involved in a security investigation, you already > know that facts emerge over time. With every disclosure there's a risk > of getting those facts wrong, If you don't know yet, then simply say that you don't know yet. > or having to issue retractions. What about the announcement that no tampered packages were built for Fedora? Isn't that a retraction of the recommendation not to install packages? And what's wrong with that? > Disclosure at an inappropriate time gives people the mistaken impression > one is not being truthful, when that's not the case. The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. "The closer to the truth, the better the lie, and the truth itself, when it can be used, is the best lie." – Preem Palver (Isaac Asimov) > The disclosures we've made up to and including this point have been > factual, but misleading > in the interest of protecting the security of our millions of > users, You don't protect users' security by concealing a security issue as a technical problem. That's security by obscurity. Tell us that the issue has to do with security so that we have something to base our judgments on! > and in the further interest of allowing proper investigation and > analysis of an ongoing matter. And how exactly would investigation and analysis have been hindered if we had been told what kind of issue it was? > As I stated in the announcement, I'll continue to provide information as > it becomes available." Did it really take a week before the information that the issue was related to security became available? Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Rui Miguel Silva Seabra wrote: > The first message... > https://www.redhat.com/archives/fedora-announce-list/2008-August/msg8.h >tml > > ... said: > > We're still assessing the end-user impact of the situation, but as a > precaution, we recommend you not download or update any additional > packages on your Fedora systems. > > This spells "*unsafe* to install packages, without saying specifically > why" to me, what about you? :) To me it looked like there was a problem with the performance or availability of the servers, and they didn't know how much downtime there would be or how bad the response times would be, and they wanted us to avoid updating to ease the load on the servers until they could fix the problem. That wouldn't make it unsafe to install packages although it might be difficult to download them. I can also imagine that such a recommendation would be issued if a bug in the build system had caused corrupted packages or incorrect dependencies. In that case it could be said that it would be unsafe to install packages, but I might still choose to update some after ensuring that I could revert to an older version if necessary. It wasn't until I saw the speculations here in fedora-list that I understood that there might be a risk that I would get backdoors installed if I updated. It's mostly by chance that I'm currently reading fedora-list. If I were only reading fedora-announce-list I might not have understood that there was a security risk until yesterday's announcement, and then I would probably have chosen to install some important security updates despite the recommendation. It's simple, really: People won't follow instructions if you don't tell them why the instructions are important. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Björn Persson <[EMAIL PROTECTED]> [20080823 18:57]: > Rahul Sundaram quoted Paul W. Frields: [snip] > > Disclosure at an inappropriate time gives people the mistaken impression > > one is not being truthful, when that's not the case. > > The first announcement gave me the impression that there was a technical > problem, such as overloaded web servers or a crashed database or something. > In retrospect it's obvious that when that announcement was written they > already knew or at least suspected that there had been an intrusion. This > gives me the impression that Paul W. Frields was not being truthful. He lied > by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. [snip] > > As I stated in the announcement, I'll continue to provide information as > > it becomes available." > > Did it really take a week before the information that the issue was related > to > security became available? I think you ought to read the book "The Cuckoo's Egg" by Clifford Stoll. Once you have read it and understood it, feel free to comment again on the issue at hand here. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Nifty Fedora Mitch chose attack as the best defense: > On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: >> Bjoern Tore Sund wrote: >>> It has now been a full week since the first announcement that Fedora >>> had "infrastructure problems" and to stop updating systems. Since >>> then there has been two updates to the announcement, none of which >>> have modified the "don't update" advice and noen of which has been >>> specific as to the exact nature of the problems. At one point we >>> received a list of servers, but not services, which were back up and >>> running. >>> >>> The University of Bergen has 500 linux clients running Fedora. We >>> average one reinstall/fresh install per day, often doing quite a lot >>> more. Installs and reinstalls has had to stop completely, nightly >>> updates have stopped, and until the nature of the problem is revealed >>> we don't even know for certain whether it is safe for our IT staff to >>> type admin passwords to our (RHEL-based, for the most part) servers >>> from these work stations. > >With 500 clients ? So far. Got about 250 laptops coming into the system this autumn, as soon as we have the setup and config regime properly structured and able to handle it. Should be ready sometime in September. >Are you pulling updated from the internet or are >you pulling from a local cache of "tested" updates. I have often wished we had the manpower to do the latter. Unfortunately, we don't, so the local mirror is exactly that, a mirror. One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. >Are you using site specific kickstart config files that install local >yum config files, ssh keys, sendmail setup and sudo config files so your admins >can access the hosts without typing pass words? Yes, to all. Unfortunately that regime isn't 100% adhered to, which is something we work on. Equally unfortunately, we have had to give the footwork guys sudo access to a limited set off commands. Sudo with or without passwords have different security implications, we've landed on "with". >What revision control of the config files? Subversion. Some distributed through nightly scripts using wget, some through a commercial software package for server administration. >I can see that the lack of updates would prove disconcerting >but the inability to maintain day to day, another one just like >yesterdays install seems fragile. I'm sorry, but my English isn't good enough to parse that sentence sufficiently to guess what you're trying to express. >In business school there is a strategy of "owning your own >dependencies". The long term success stories in business include >strong control of resources that they depend on. > >It is possible to manage yum and friends to allow only update packages >resigned by your group at Bergan after testing them. Indeed this is possible. Unfortunately, we don't have the resources so we are dependent on our Linux distro having those resources. If I had unlimited resources, this is not the only thing I would do differently. >My last question -- what is the University of Bergin's written policy for >this type and other risks. Does university policy mandate the disclosure >that you expect from RedHat. It does, and we have. Both when it has implicated our own users and when we have uncovered compromised servers on our site being used for attacks against other sites. I'm sure your questions were part of a point you were making. I trust that you are happy with that point. Me, I'm relieved that I finally have concrete information on what has been happening and how it affects us. In the end I'm now more unhappy with RedHat than I am with Fedora - but that is not a topic for this list. At least Fedora told us _something_ was wrong. -BT -- Bjørn Tore Sund Phone: 555-84894 Email: [EMAIL PROTECTED] IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 4:44 PM, Bjørn Tore Sund <[EMAIL PROTECTED]> wrote: >>Are you pulling updated from the internet or are >>you pulling from a local cache of "tested" updates. > > I have often wished we had the manpower to do the latter. Unfortunately, we > don't, so the local mirror is exactly that, a mirror. One thing this > incident has taught us is to take regular backups of that mirror so that we > can roll back to a non-suspect version of the Fedora updates. Didn't have > that before, really missed it the last couple of weeks. The cheap way is to start the mirror script manually, as opposed to on a time. So first thing the morning, check the internets for possible issues, if non found. Start the script. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
I don't mean to be rude, but, ... [...] One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. Consider that a lesson well learned. And, while it may not have been the most convenient time to learn it, things could have been much worse. It's one of the costs (and, actually, one of the benefits) of working with open source. With "Proprietary" you have "guarantees". When they fall down on the job, or when other bad stuff happens, you can theoretically get some sort of compensation. But when you look at the record, the compensation you get isn't worth it. With opensource, you have both the responsibility and the privilege to run your own install servers and backups. And you don't have the guarantees that seem to fool the bean counters. Are you using site specific kickstart config files that install local yum config files, ssh keys, sendmail setup and sudo config files so your admins can access the hosts without typing pass words? Yes, to all. Unfortunately that regime isn't 100% adhered to, which is something we work on. Equally unfortunately, we have had to give the footwork guys sudo access to a limited set off commands. Sudo with or without passwords have different security implications, we've landed on "with". "With" is not a bad alternative. Balancing resources is always a problem. No matter how you choose, sometimes bad stuff happens. Again, if accounting or management is coming after you, point to the actual results (not the promises and fudged guarantees) that could be obtained from the proprietary alternatives. F/OSS, while better than the alternatives, is not some magic utopia. Now, I think they're handling this pretty well so far. I'm considering things from the overall perspective. A certain "Proprietary" vendor has put the entire world's infrastructure at risk, and they've managed to delay things with weird legal and political games for more than ten years, putting society at further risk. What we hear in public is not the worst that could happen (or is happening, really), and anyone whose infrastructure is dependent on that "Proprietary" vendor, is basically living on borrowed time and illusions. It's definitely time to run a tight ship now. [...] Joel Rees -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Anders Karlsson wrote: > * Björn Persson <[EMAIL PROTECTED]> [20080823 18:57]: > > The first announcement gave me the impression that there was a technical > > problem, such as overloaded web servers or a crashed database or > > something. In retrospect it's obvious that when that announcement was > > written they already knew or at least suspected that there had been an > > intrusion. This gives me the impression that Paul W. Frields was not > > being truthful. He lied by telling half the truth. > > That is a pretty strong statement to make. Not telling everything does > not equate lying - especially when what you are telling (or can tell) > is true. And if all you have is an impression that he is not truthful, > you conceed that you have no evidence to the contrary as well. > > I think you owe Paul Frields an apology. It would be possible to convince me that he didn't mean to deceive. It would take an honest-sounding statement that he thought that everybody would understand that installing packages might be not only unsafe but actually insecure, and also a very good explanation of why he – or someone giving him orders – thought it was absolutely necessary to be so cryptic. It would be dishonest to apologize before I'm convinced. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Bjørn Tore Sund wrote: > One thing this > incident has taught us is to take regular backups of that mirror so that we > can roll back to a non-suspect version of the Fedora updates. Didn't have > that before, really missed it the last couple of weeks. How far would you have rolled it back? During the whole time that the Fedora repositories were suspect there was no information whatsoever on how old packages would have to be to be non-suspect. And while the infrastructure team either knew or suspected the whole time that the issue they were investigating was an intrusion, it probably did take some time before they knew how long the intrusion had been going on. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: Anders Karlsson wrote: * Björn Persson <[EMAIL PROTECTED]> [20080823 18:57]: The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. It would be possible to convince me that he didn't mean to deceive. It would take an honest-sounding statement that he thought that everybody would understand that installing packages might be not only unsafe but actually insecure, and also a very good explanation of why he – or someone giving him orders – thought it was absolutely necessary to be so cryptic. It would be You do not have the all the facts yet you feel free to pass judgement. Calling Paul Frields a liar is out of line and you know it, we have no idea what constraints he may be operating under. Your statement above strikes me as naive and dishonest. You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? No, it strikes me that you are being dishonest with yourself first and foremost. From what little I can glean from mail sent to this list you do not strike me as a fool, is it just frustration at the situation? This is understandable but it does not give you leave to accuse people of being deceitful. dishonest to apologize before I'm convinced. Björn Persson -- Fortune favors the BOLD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Tim: >> I still don't see why they couldn't have said that it would be *unsafe* >> to install packages, without saying specifically why. As opposed to Rui Miguel Silva Seabra: > You still don't see because you don't want to. No, I didn't see because it didn't say. I saw the original posting, and it was wide open to interpretation. It didn't spell out anything clearly. It could well have meant that there was a system failure, and if you started updating/installing you could get stuck with a broken system. At first glance, that's how it reads. Only suspicion and paranoia leads one to think it meant more than that. We cannot read between the lines and know what the message actually meant. It's only by guessing at things that we'd become alarmed about the message. Whoever wrote that did a very poor job of it. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 11:44:15PM +0200, =?ISO-8859-1?Q?Bj=F8rn_Tore_Sund_ wrote: > Nifty Fedora Mitch chose attack as the best defense: > > On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: > >> Bjoern Tore Sund wrote: > >>> It has now been a full week since the first announcement that Fedora > >>> had "infrastructure problems" and to stop updating systems. Since > >>> then there has been two updates to the announcement, none of which > >>> have modified the "don't update" advice and noen of which has been > >>> specific as to the exact nature of the problems. At one point we > >>> received a list of servers, but not services, which were back up and > >>> running. > >>> > >>> The University of Bergen has 500 linux clients running Fedora. We > >>> average one reinstall/fresh install per day, often doing quite a lot > >>> more. Installs and reinstalls has had to stop completely, nightly > >>> updates have stopped, and until the nature of the problem is revealed > >>> we don't even know for certain whether it is safe for our IT staff to > >>> type admin passwords to our (RHEL-based, for the most part) servers > >>> from these work stations. > > > >With 500 clients ? > > So far. Got about 250 laptops coming into the system this autumn, as soon > as we have the setup and config regime properly structured and able to > handle it. Should be ready sometime in September. > > >Are you pulling updated from the internet or are > >you pulling from a local cache of "tested" updates. > > I have often wished we had the manpower to do the latter. Unfortunately, we > don't, so the local mirror is exactly that, a mirror. One thing this > incident has taught us is to take regular backups of that mirror so that we > can roll back to a non-suspect version of the Fedora updates. Didn't have > that before, really missed it the last couple of weeks. Thank you for the reply. Your site setup sounds very well managed and I now understand your concern and original post much better. Other readers of this list should take a lesson on how to manage a large community of machines and users. This event does present the community with some eye opening perspectives with regard to the chain of resources that we depend on. For example using 'rsync' for mirror management could quickly and silently update the global set of mirrors with bad files almost overnight. If keys were hacked and hosts near the tip of tree silently compromised it might go undetected for some time. Weeks ago I would have suggested running a mirror without the --delete flag as the only 'special flag' not in common use. Now it appears that some sort of way to freeze packages once they have been pulled makes sense. One quick local action is to have a local check sum file set that can be used to verify that 'old' packages do not change in the local mirror. rsync and friends could then be enhanced to understand a 'gold frozen' list. As I ponder an 'rsync' tree of mirrors I continue to think that RH did the correct thing. Still, having said that, I too would have liked more information. But, In my limited experience with law enforcement and security groups the rule seems to be to say nothing which is exactly what happened.Sadly the Linux community is not without its bad actors as we in the SF Bay area learned with the recent conviction of HR. Interesting stuff -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Björn Persson <[EMAIL PROTECTED]> [20080824 01:38]: > Anders Karlsson wrote: [snip] > > That is a pretty strong statement to make. Not telling everything does > > not equate lying - especially when what you are telling (or can tell) > > is true. And if all you have is an impression that he is not truthful, > > you conceed that you have no evidence to the contrary as well. > > > > I think you owe Paul Frields an apology. > > It would be possible to convince me that he didn't mean to deceive. It would > take an honest-sounding statement that he thought that everybody would > understand that installing packages might be not only unsafe but actually > insecure, and also a very good explanation of why he – or someone giving him > orders – thought it was absolutely necessary to be so cryptic. It would be > dishonest to apologize before I'm convinced. Again you are making the assumption that the intent was to deceive or to not tell the truth. Paul Frields actions speaks louder than words and I have utmost respect for him. I stand by my previous e-mail, you owe Paul an apology (granted, take your time coughing it up) and you should read the book I pointed you at so you realise what these investigations entail. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 08:35:39AM +0900, Joel Rees wrote: > It's one of the costs (and, actually, one of the benefits) of working > with open source. With "Proprietary" you have "guarantees". When they > fall down on the job, or when other bad stuff happens, you can > theoretically get some sort of compensation. But when you look at the > record, the compensation you get isn't worth it. I think your view ignores the fact that you *only* get "guarantees" on software if you make a contract for such, and even so they are called Service Level Agreements (SLAs). Software is copyright, so demanding "guarantees" is like demanding guarantees from a book. It can't be done. Now since SLAs may be bought regardless of the software license, you get SLAs with any company which is willing to sell them. Red Hat, for instance, is quite happy (I imagine) to sell you support with an SLA. > With opensource, you have both the responsibility and the privilege to > run your own install servers and backups. And you don't have the > guarantees that seem to fool the bean counters. No, that's merely Free Software without commercial support. You get to depend on your knowledge and the community's alone. The nicest thing about Free Software is that this pretty much works quite well, generally, and in special cases you can usually buy some commercial support from someone. With proprietary software you usually only get the commercial support (and frequently it sucks) and there's little community (if at all). I'm pretty much opposed to the concept of guarantees on software in a general way, for it only favours proprietary software. Free Software would have to certify any change in order to provide guarantees, and that would kill the development model. Rui -- Fnord. Today is Sweetmorn, the 17th day of Bureaucracy in the YOLD 3174 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson asked: > Bjørn Tore Sund wrote: >> One thing this >> incident has taught us is to take regular backups of that mirror so that we >> can roll back to a non-suspect version of the Fedora updates. Didn't have >> that before, really missed it the last couple of weeks. > > How far would you have rolled it back? During the whole time that the Fedora > repositories were suspect there was no information whatsoever on how old > packages would have to be to be non-suspect. And while the infrastructure > team either knew or suspected the whole time that the issue they were > investigating was an intrusion, it probably did take some time before they > knew how long the intrusion had been going on. Sometimes you have all necessary information and can reach a well-founded conclusion. Sometimes you have to guess and hope for the best. When I have to guess because others are keeping information I need from me I'll postpone the guessing while I attempt to persuade said other of the error of their ways. But I'll still make that guess when all else fails. -BT -- Bjørn Tore Sund Phone: 555-84894 Email: [EMAIL PROTECTED] IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
max wrote: > You had no idea there was a security > issue? It was the first thing to cross my mind when I first saw the > announcement. What else could it have been? Why else the cryptic > message? You're lucky to be that paranoid. Many people would call me paranoid if they knew what kind of security measures I take with my home computers, but apparently I'm not paranoid enough yet. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word "security"? Something more concrete than just "legal issues"? Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: max wrote: You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? You're lucky to be that paranoid. Many people would call me paranoid if they You call it paranoia, I call it common sense. Do the math, I did. I felt that if it was anything but a security issue then they'd have come right out and said so. The only reason not to come out and say so boiled down to a handful of things. An ongoing investigation and/or uncertainty about what had happened. If you and others want to insist that it was just not wanting to own up to the incident then I have to assume you don't trust the Fedora Project. If you don't trust it then why use the product of its labor? All this talk of obscurity is a bunch of bullshit when anyone with a grain of common sense would have come to the proper conclusion or suspicion, if you like, and done what needed doing at their end. The message set off the warning bells for me precisely because it avoided stating that it wasn't a security issue, others read it the same way. All things considered its been handled to my satisfaction. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. knew what kind of security measures I take with my home computers, but apparently I'm not paranoid enough yet. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word "security"? Something more concrete than just "legal issues"? Once again we don't know the constraints imposed on them. Some are certainly caused by legal issues and what remains an on going investigation. Your opinion of US law is irrelevant, I've had my issues with it before as well but the law is the law. The point is that we don't have all the facts. The more important point is that you have used half the facts to indict Paul Frields. I am willing to concede that you might even be right Bjorn, but you have rushed to judgement before a reasonable amount of time has been given to carry out the investigation. Your being unfair. -- "Every form of addiction is bad, no matter whether the narcotic be alcohol, morphine or idealism." --Carl Jung -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 11:15:26 -0400, max <[EMAIL PROTECTED]> wrote: > out and said so. The only reason not to come out and say so boiled down > to a handful of things. An ongoing investigation and/or uncertainty > about what had happened. If you and others want to insist that it was And neither of those two reason provide good cause as to not notifying the community that there was an intrusion, that the extent of the damage was unknown, that the extent of the damage was being investigated and that until further information becomes available it would be prudent not to updates packages without good cause. > just not wanting to own up to the incident then I have to assume you > don't trust the Fedora Project. If you don't trust it then why use the The way the incident was handled doesn't inspire trust. Lot's of other things the project does though. > satisfaction. The only thing that's been made clear is that the Fedora > Project has a number of users who take it for granted. Or, alternatively a project that takes its community for granted. > Once again we don't know the constraints imposed on them. Some are > certainly caused by legal issues and what remains an on going If they had legal constraints on them for some reason, then I would expect that later they would explain what those constraints were and what they were going to do to make sure they weren't under them in the future. > don't have all the facts. The more important point is that you have used > half the facts to indict Paul Frields. I am willing to concede that you Even if Paul could not have done more in this case, because he was legally handcuffed, there is still a problem. This is supposed to be a community distribution and there should have been more information provided to the community in a timely manner. This should be fixed for the next time something like this happens. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
max wrote: You call it paranoia, I call it common sense. Do the math, I did. I felt that if it was anything but a security issue then they'd have come right out and said so. The only reason not to come out and say so boiled down to a handful of things. But doesn't a security issue usually imply that everyone else running the same software is vulnerable to the same intrusion? That is, the last thing you want to do is keep running with no updates. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Do we know yet how the initial access to the machine was obtained? Ssh password-guessing or a more fundamental software problem that may still be a danger for others? -- Les Mikesell [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Les Mikesell wrote: max wrote: You call it paranoia, I call it common sense. Do the math, I did. I felt that if it was anything but a security issue then they'd have come right out and said so. The only reason not to come out and say so boiled down to a handful of things. But doesn't a security issue usually imply that everyone else running the same software is vulnerable to the same intrusion? That is, the maybe but we don't know yet what exactly happened. My issue is not with saying it was handled badly. I would have preferred that more information was provided. That isn't what happened though and ultimately it comes down to a matter of trust. Second guessing the man on the ground is popular but unwise, people only assume they would have done better in the same situation but that is by no means certain. Your on the scene, you make a judgement call based on what you know and what you think best at the moment. Hindsight is always 20/20, having to make the call is harder by far and I think accusing Paul Frields of intentionally deceiving us is going to far, especially without all the facts. This didn't happen last year, its on going, taking place over the course of a couple of weeks and its only fair to allow time for a proper assesment of the situation. How many complaints would we have seen if it turned out to be a false alarm? How many would have blown away their systems and then cried that nothing should have been said until they were certain what had transpired? last thing you want to do is keep running with no updates. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Do we know yet how the initial access to the machine was obtained? Ssh password-guessing or a more fundamental software problem that may still be a danger for others? That is precisely the point , we don't know much. If users don't trust the Fedora Project then they should go elsewhere but I doubt they'll do any better. Some organizations won't even give a vague warning, never mind admit they've been cracked. -- Fortune favors the BOLD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 12:55:54 -0400, max <[EMAIL PROTECTED]> wrote: > That is precisely the point , we don't know much. If users don't trust > the Fedora Project then they should go elsewhere but I doubt they'll do > any better. Some organizations won't even give a vague warning, never > mind admit they've been cracked. I'd rather try to change the way the project handles this type of incident rather than spend my time working with another linux distro project at this time. Comparing Fedora to the worst organizations isn't doing its reputation any favors. Fedora sets a pretty high bar in many areas, and I would like the bar also set high for the project leadership being open with the community. The Fedora project seems to value many facets of openness (e.g. they did a lot of work a few releases ago to open up the build tools for the distro). So while I didn't find any obvious statements that the project has an explicit goal to work in an open and transparent manner, I think the impression that that is a goal of the project. The way the recent compromise was handled was not a good example of how a truly open project should have handled such an incident. It took a week before a statement was issued admitting a compromise. That should have been part of the very first announcement. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Anders Karlsson wrote: * Björn Persson <[EMAIL PROTECTED]> [20080823 18:57]: Rahul Sundaram quoted Paul W. Frields: [snip] Disclosure at an inappropriate time gives people the mistaken impression one is not being truthful, when that's not the case. The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. It'll never happen, although I agree completely that it's due. The nay-sayers and gloom-speakers on this list are *much* more interested in bitching and moaning about how things have been handled wrong and they've been treated badly than actually being good members of the community. It makes me sick when I see this spew, and I want to (virtually) throttle these jackasses. [snip] As I stated in the announcement, I'll continue to provide information as it becomes available." Did it really take a week before the information that the issue was related to security became available? I think you ought to read the book "The Cuckoo's Egg" by Clifford Stoll. Once you have read it and understood it, feel free to comment again on the issue at hand here. See, there's the thing - the ones who bitch the loudest are usually the ones who understand the least. To actually encourage them to remedy their ignorance is just a waste of electrons. They seem to be happy in their wallow. -- Thomas signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: max wrote: You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? You're lucky to be that paranoid. Many people would call me paranoid if they knew what kind of security measures I take with my home computers, but apparently I'm not paranoid enough yet. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word "security"? Something more concrete than just "legal issues"? The whole point is that no one on this list except possibly Red Hat employees or Fedora board members can answer that. These are not stupid people. These are not dishonest people. They're not devious folks. These are the same folks from whom you consume a distribution, people who devote their careers to making OSS, specifically Fedora, work as well as it does. They do a really hard, mostly thankless job. Recovery from a security is *very* hard work. You need to determine the attack vector, the extent of the breach, remediate the breach, rebuild damaged servers, restore data and services, notify anyone whose information might have been compromised, forensically analyze the systems, etc., etc., etc. All while trying to preserve any evidence which might be needed by any law enforcement agencies which have been involved. Oh, and until the full extent of the breach is determined, it is foolish and irresponsible to announce anything about that breach. Had Paul said "Hey all, we've gotten hacked and we don't know how badly or how they got in or what the damage is" he'd have been eaten alive, and rightly so. Instead he took a very reasonable approach, apparently disclosed as much as he could at the time, and warned folks as soon as he could to not trust updates. But here you come from the outside and publicly call the head of the project a liar when you *clearly* do not have all the information. What arrogance. Congratulations, you've just landed at the top of the "Asshole of the Year" list. Welcome to my killfile, Björn. -- Thomas signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
max wrote: > If you and others want to insist that it was > just not wanting to own up to the incident It doesn't seem likely that that was the reason. If they didn't want to admit that there had been an intrusion, then I don't think they would have sent out any warning at all. They did try to get a warning out, but they didn't want to say that it was about security. I don't know if they thought that everybody would be able to read between the lines, or if they thought that people wouldn't understand but would stop updating without knowing why, but either way I don't understand why they didn't tell us clearly what it was they were trying to warn us about. > then I have to assume you > don't trust the Fedora Project. I did trust the Fedora project. Now I'm not so sure anymore. > The only thing that's been made clear is that the Fedora > Project has a number of users who take it for granted. Take what for granted? The Fedora project's existence? Its security? Its openness? Yes, maybe I did take its openness for granted. There's been a lot of talk about openness and having the community involved on equal terms. I guess I believed it. > > Can you answer the opposite question: Why the cryptic message? Can you > > think of a rational reason to avoid the word "security"? Something more > > concrete than just "legal issues"? > > Once again we don't know the constraints imposed on them. Some are > certainly caused by legal issues and what remains an on going > investigation. Your opinion of US law is irrelevant, I've had my issues > with it before as well but the law is the law. The point is that we > don't have all the facts. In other words, no, you can't think of a plausible reason either. > The more important point is that you have used > half the facts to indict Paul Frields. I have not accused Paul Frields of a crime. I pointed out that the extreme vagueness of his announcements, which he claimed had the purpose of avoiding the impression that he wasn't truthful, actually had the opposite effect on me. That's a failure to some degree if his intentions were honest. It's not a crime. I have also left the possibility open that someone else may have given him orders. I didn't use anywhere near half the facts. I used two facts: That the issue was a security issue, and that this was not clearly stated in the first announcement. > you have rushed to judgement before a > reasonable amount of time has been given to carry out the investigation. This is not about how long the investigation takes. It's about the lack of the word "security" in the first announcement. I fully understand that the investigation takes time. It did not, however, take this long to find out that the issue was a security issue. If you think I'm complaining that the investigation takes too long, then you haven't read what I've written. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Thomas Cameron wrote: > Oh, and until the full extent of the breach is determined, it is foolish and irresponsible to announce anything about that breach. Well, except for the fact that everyone else running the same software is still exposed to the same threat - if it was a software vulnerability that permitted the intrusion in the first place. But here you come from the outside and publicly call the head of the project a liar when you *clearly* do not have all the information. Calling someone a liar is a bit extreme, but everyone running similar software with similar exposure has good reason for concern until they do have this information. -- Les Mikesell [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
2008/8/24 Björn Persson <[EMAIL PROTECTED]>: > max wrote: >> If you and others want to insist that it was >> just not wanting to own up to the incident > > It doesn't seem likely that that was the reason. If they didn't want to admit > that there had been an intrusion, then I don't think they would have sent out > any warning at all. They did try to get a warning out, but they didn't want > to say that it was about security. I don't know if they thought that > everybody would be able to read between the lines, or if they thought that > people wouldn't understand but would stop updating without knowing why, but > either way I don't understand why they didn't tell us clearly what it was > they were trying to warn us about. > >> then I have to assume you >> don't trust the Fedora Project. > > I did trust the Fedora project. Now I'm not so sure anymore. > >> The only thing that's been made clear is that the Fedora >> Project has a number of users who take it for granted. > > Take what for granted? The Fedora project's existence? Its security? Its > openness? Yes, maybe I did take its openness for granted. There's been a lot > of talk about openness and having the community involved on equal terms. I > guess I believed it. > >> > Can you answer the opposite question: Why the cryptic message? Can you >> > think of a rational reason to avoid the word "security"? Something more >> > concrete than just "legal issues"? >> >> Once again we don't know the constraints imposed on them. Some are >> certainly caused by legal issues and what remains an on going >> investigation. Your opinion of US law is irrelevant, I've had my issues >> with it before as well but the law is the law. The point is that we >> don't have all the facts. > > In other words, no, you can't think of a plausible reason either. > and I have the sense not to speculate without the full facts. Why is giving Fedora the benefit of the doubt so hard? >> The more important point is that you have used >> half the facts to indict Paul Frields. > > I have not accused Paul Frields of a crime. I pointed out that the extreme you called him a liar. Laws can be silly and violating a silly law , if it is in fact silly, is still a crime officially. Calling someone a liar isn't a crime but its worse than withholding information, especially when you don't know what he is or isn't at liberty to discuss. This also involves Red Hat and not the Fedora Project alone. > vagueness of his announcements, which he claimed had the purpose of avoiding > the impression that he wasn't truthful, actually had the opposite effect on > me. That's a failure to some degree if his intentions were honest. It's not a > crime. I have also left the possibility open that someone else may have given > him orders. > You called him a liar > I didn't use anywhere near half the facts. I used two facts: That the issue > was a security issue, and that this was not clearly stated in the first > announcement. > Your right I gave you too much credit when I said half the facts. >> you have rushed to judgement before a >> reasonable amount of time has been given to carry out the investigation. > > This is not about how long the investigation takes. It's about the lack of the > word "security" in the first announcement. I fully understand that the > investigation takes time. It did not, however, take this long to find out > that the issue was a security issue. If you think I'm complaining that the > investigation takes too long, then you haven't read what I've written. > The only issue I have with anything you've said is your assertion that Paul Frields intentionally deceived us. You made this statement without being fully acquainted with the facts, we still do not have them all. If you think I have no issues with how this was handled then how about I accuse you of being obtuse. i have no interest in debating it further, say what you will, you made an error in judgment. -- Sometimes I wonder if God has a sense of humor.then I see the coverage of the 2008 campaign and I know for sure God has a great sense of humor!! -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 9:20 AM, Bruno Wolff III <[EMAIL PROTECTED]> wrote: > The way the recent compromise was handled was not a good example of how a > truly open project should have handled such an incident. It took a week > before a statement was issued admitting a compromise. That should have > been part of the very first announcement. You want it handled better in the future? Then write a draft process that will withstand the scrutiny of legal on how to handle situations such as this as transparently as possible. Its easy to look back at this specific incident and second guess how it was handled. But that's not good enough to do that.. not even close. We aren't going to build a policy around the chatter over this one incident. If you want to see sensitive issues handled better in the future, than stand up a strawman for a transparent process that can be generally applied to sensitive issues. A transparent process that deals with legal issues must balance caution with disclosure. I believe that an incident response process itself can be transparent, even if the full details can not be publicly disclosed instantaneously due to legal constraint And rest assured that whatever process that is will never satisfy all disclosure demands. But if we as a community haven't put in the work to build a process that guides the actions taken in a crisis situation that meets legal constraints, then we as a community, have no right to sit back and second guess the actions of any individuals who have to stand in the middle of a crisis and make a judgement call. You want things to be better? You want to have the right to hold up the actions of our leadership to your opinions on how things should be done? Then create the process document which is meant to guide their actions before they have to step in and take action. If that process document doesn't meet legal scrutiny... then you get to do it again and again and again..until it does. I don't expect the first such draft to meet the necessary legal scrutiny. I expect that this will take non-trivial effort and a few rounds of dialogue to get legal and community on the same page as to what is achievable as a transparent process that doesn't trip over a legal landmine. And while I haven't talked to Paul personally about this, I'm pretty sure that he is between a rock and a hard place when it comes to satisfying both the perceived needs of community and the strictures of legal constraints in this matter. So are the other people who have been working on the infrastructure to resolve the issue. And we as a community are only going to make it easier for Paul or other leadership if we find a way to get a process document into the hands of Legal and start hammering how to handle this sort of crap with more transparency moving forward. To expect any individual to make a judgement call in the time of need that attempt to infer the consensous opinion of the larger community is ridiculous. Such consensus opinion must be formed and communicated before the need for action occurs. And if this community moves forward and starts to put a process document together, then those of you in the community who have had to deal with situations like this in the past, need to be involved..to educated those other people in the community who do not comprehend the nature of the legal constraints. I'm going to strongly suggest that if the first draft of such a transparent process document doesn't attempt to address the community's perception of what the legal constraints are..but instead reads as a bald demand for instant disclosure. Then you haven't done your jobs at creating an useful starting point for a dialogue on the issue.. and you'll have squandered an opportunity to increase process transparency. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta <[EMAIL PROTECTED]> wrote: > the full details > can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. If I am minding my own business and walking to the post office, and Joe Bloggs walks up to me and punches me in the nose, I think I'm perfectly within my rights to tell my friends and everyone else who wants to listen that Joe Bloggs punched me in the nose. On the other hand, if I want to date Joe Bloggs' sister I might tell people who ask me how I got a broken nose that I can't tell them. But that's not "legal reasons", that's simply my personal choice to keep quiet about it. Why should this be any different? Either something happened, or it did not. If something happened, then the facts will either be released, or not. I don't see how vague, unspecified "legal reasons" could stop anyone from discussing their involvement unless there is some contractual issue involved, in which case the person(s) involved in enforcing the contract are the ones who are in a position to provide the facts. "I realize that this contract says that I'm not supposed to talk about this, but in these circumstances perhaps we should make an exception." "I agree. Here is a written waiver of the relevant contact provisions." Problem solved. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Frank Cox <[EMAIL PROTECTED]> [20080824 21:42]: > On Sun, 24 Aug 2008 11:27:47 -0800 > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > the full details > > can not be publicly disclosed instantaneously due to legal constraint > > This I simply don't understand. You do not need to understand, you just need to accept that this is the case. You may not like it (I don't particularly, but I realise the need for it), and you are within your right to voice your opinion. > If I am minding my own business and walking to the post office, and Joe Bloggs > walks up to me and punches me in the nose, I think I'm perfectly within my > rights to tell my friends and everyone else who wants to listen that Joe > Bloggs > punched me in the nose. On the other hand, if I want to date Joe Bloggs' > sister > I might tell people who ask me how I got a broken nose that I can't tell them. > But that's not "legal reasons", that's simply my personal choice to keep quiet > about it. You are describing two situations that are worlds apart. Comparing apples and oranges is not going to all of a sudden make you right. > Why should this be any different? Either something happened, or it did not. > If something happened, then the facts will either be released, or > not. In due time. Patience is a virtue and all that. In another post, Paul Frields pointed at a thread that explains the situation. > I don't see how vague, unspecified "legal reasons" could stop anyone > from discussing their involvement unless there is some contractual > issue involved, in which case the person(s) involved in enforcing > the contract are the ones who are in a position to provide the > facts. "I realize that this contract says that I'm not supposed to > talk about this, but in these circumstances perhaps we should make > an exception." "I agree. Here is a written waiver of the relevant > contact provisions." Problem solved. If you are volunteering to spend all the years in jail on behalf of those involved in the investigation that you are asking to interfere in a criminal investigation - I guess that some sort of deal can be accommodated with the courts. (And yes, I'm taking the piss now as the discussion is beyond farcical.) Facts - not petty demands or ludicrous speculation - will emerge in due time and when appropriate, and I still think that The Cuckoo's Egg should be a mandatory read before people start demanding instant disclosure. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 13:41 -0600, Frank Cox wrote: > On Sun, 24 Aug 2008 11:27:47 -0800 > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > the full details > > can not be publicly disclosed instantaneously due to legal constraint > > This I simply don't understand. Anybody who has had extensive dealings with lawyers knows that they tend to err on the side of caution at any time. When a publicly traded company is involved, that's even more true. Whether Red Hat and Fedora could have acted differently is a debatable point. But that Red Hat acted as it did is not surprising. Just because a corporation is open source, it doesn't stop being a corporation. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 22:09:09 +0200 Anders Karlsson <[EMAIL PROTECTED]> wrote: > * Frank Cox <[EMAIL PROTECTED]> [20080824 21:42]: > > On Sun, 24 Aug 2008 11:27:47 -0800 > > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > > > the full details > > > can not be publicly disclosed instantaneously due to legal constraint > > > > This I simply don't understand. > > You do not need to understand, you just need to accept that this is > the case. > You may not like it (I don't particularly, but I realise the need for > it), and you are within your right to voice your opinion. If I "simply need to accept", then it's not open and saying that this is an open process or a community is merely pretty window-dressing. > > > If I am minding my own business and walking to the post office, and Joe > > Bloggs > > walks up to me and punches me in the nose, I think I'm perfectly within my > > rights to tell my friends and everyone else who wants to listen that Joe > > Bloggs > > punched me in the nose. On the other hand, if I want to date Joe Bloggs' > > sister > > I might tell people who ask me how I got a broken nose that I can't tell > > them. > > But that's not "legal reasons", that's simply my personal choice to keep > > quiet > > about it. > > You are describing two situations that are worlds apart. Comparing > apples and oranges is not going to all of a sudden make you right. They are both a crime. One affects me, and one affects many people around the globe, in ways that we still are unaware of due to a lack of factual disclosure. I'd say that the second situation is even more worthy of open discussion and full disclosure than the first. > > > Why should this be any different? Either something happened, or it did not. > > If something happened, then the facts will either be released, or > > not. > > In due time. Patience is a virtue and all that. Unfortunately, there are many people who have systems that may or may not be affected by this issue and many of those systems do important stuff. At least, stuff that's important to their owners and that's the part that counts. "My house might be burning down." "We'll call the fire department to check it out in due time. Patience is a virtue." > In another post, Paul > Frields pointed at a thread that explains the situation. We aren't going to tell you because we aren't telling you yet isn't an explanation. It's a tautology. > If you are volunteering to spend all the years in jail I couldn't volunteer even if I wanted to. I don't have the facts, and I have no way to obtain them. So that's not even a choice that's on the table. Accordingly, it's an irrelevant point. > Facts - not petty demands or ludicrous speculation - will emerge in > due time and when appropriate Now would be past time. Last week would be an appropriate time. >, and I still think that The Cuckoo's Egg > should be a mandatory read before people start demanding instant > disclosure. Shall I recommend a few good books for you to read before you call that fire truck as well? I have a fairly extensive library and I'm sure I can find something for you -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:04 -0600, Frank Cox wrote: > > > Why should this be any different? Either something happened, or it did > > > not. > > > If something happened, then the facts will either be released, or > > > not. > > > > In due time. Patience is a virtue and all that. > > Unfortunately, there are many people who have systems that may or may not be > affected by this issue and many of those systems do important stuff. At > least, > stuff that's important to their owners and that's the part that counts. just curious Frank...if you don't trust Fedora Project people to do the right thing, why are you installing it on any of your computers? Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 13:19:03 -0700 Bruce Byfield <[EMAIL PROTECTED]> wrote: > On Sun, 2008-08-24 at 13:41 -0600, Frank Cox wrote: > > On Sun, 24 Aug 2008 11:27:47 -0800 > > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > > > the full details > > > can not be publicly disclosed instantaneously due to legal constraint > > > > This I simply don't understand. > > Anybody who has had extensive dealings with lawyers knows that they tend > to err on the side of caution at any time. When a publicly traded > company is involved, that's even more true. In this case, I think "err" is an appropriate word. > Whether Red Hat and Fedora could have acted differently is a debatable > point. And we're debating it. > But that Red Hat acted as it did is not surprising. Just because > a corporation is open source, it doesn't stop being a corporation. But when a corporation claims to be host to a "community", they need to be called on the carpet by that community when they fail to act appropriately. Ultimately, of course, there isn't much the so-called community or its members can do other than either abandon the corporation and go its (their, or his) own way, but less drastic action like a public ass-kicking can sometimes have a beneficial effect too. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 14:09:53 -0700 Craig White <[EMAIL PROTECTED]> wrote: > just curious Frank...if you don't trust Fedora Project people to do the > right thing, why are you installing it on any of your computers? I've been using it for some time and it generally works quite well. I'm currently engaged in a debate regarding the appropriate level of disclosure that should be undertaken in view of an apparent security breach. My hope is that my contribution to this debate will be beneficial and help to provide guidance to the community when formulating an appropriate response to the current and any future situations. Thanks for asking. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Frank Cox <[EMAIL PROTECTED]> [20080824 23:11]: > On Sun, 24 Aug 2008 13:19:03 -0700 > Bruce Byfield <[EMAIL PROTECTED]> wrote: > > > On Sun, 2008-08-24 at 13:41 -0600, Frank Cox wrote: > > > On Sun, 24 Aug 2008 11:27:47 -0800 > > > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > > > > > the full details > > > > can not be publicly disclosed instantaneously due to legal constraint > > > > > > This I simply don't understand. > > > > Anybody who has had extensive dealings with lawyers knows that they tend > > to err on the side of caution at any time. When a publicly traded > > company is involved, that's even more true. > > In this case, I think "err" is an appropriate word. If you are suggesting "err" as in fail, you're the one failing IMHO. > > Whether Red Hat and Fedora could have acted differently is a debatable > > point. > > And we're debating it. Flogging a dead horse is more like it. > > But that Red Hat acted as it did is not surprising. Just because > > a corporation is open source, it doesn't stop being a corporation. > > But when a corporation claims to be host to a "community", they need to be > called on the carpet by that community when they fail to act appropriately. > Ultimately, of course, there isn't much the so-called community or its > members can do other than either abandon the corporation and go its (their, or > his) own way, but less drastic action like a public ass-kicking can sometimes > have a beneficial effect too. Please define "act appropriately". I think you'll be hard pushed to find *real* lawyers (instead of the IANAL variant that seems to be thirteen to the dozen around here) claiming that Red Hat has acted inappropriately in this instance. If you however by "appropriately" mean - "before we know anything, we'll trample all over evidence, disclose anything and everything, totally sabotaging any forensic and/or criminal investigation", then I guess you may be right. When disclosure does happen, I'll be delighted to see a similar public arse-kicking of the ones that were all for breaking process (legal or sensible). /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:15 -0600, Frank Cox wrote: > On Sun, 24 Aug 2008 14:09:53 -0700 > Craig White <[EMAIL PROTECTED]> wrote: > > > > just curious Frank...if you don't trust Fedora Project people to do the > > right thing, why are you installing it on any of your computers? > > I've been using it for some time and it generally works quite well. > > I'm currently engaged in a debate regarding the appropriate level of > disclosure that should be undertaken in view of an apparent security breach. > > My hope is that my contribution to this debate will be beneficial and help to > provide guidance to the community when formulating an appropriate response to > the current and any future situations. > > Thanks for asking. There are circles where my opinion doesn't count and undoubtedly, this is one of them. Given that Fedora relies upon Red Hat servers for these things, it's not completely a community issue - in fact, it's clear that Red Hat has their own interests which trump Fedora's interests. Of course the Fedora Project board members are the first line of thought/responsibility for Fedora Project interests and there is a symbiotic relationship with Red Hat. I suppose you can drive the debate as long or as far as you wish but as someone who once had some boxes compromised (a long time ago before I fully understood firewalls), there's a lot of things to deal with and informing clients - especially when the full extent is unknown is not a terribly attractive prospect and definitely lower on the priority scale than auditing the problem and obviously fixing the problem. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 23:34:38 +0200 Anders Karlsson <[EMAIL PROTECTED]> wrote: > Please define "act appropriately". act appropriately in this particular situation means this: We have an open process here, and this matter may have an effect on the community members. Therefore we will provide all the facts to the community as we discover them and we will insure that the community is at least as well informed about the issue as we are "in-house". > I think you'll be hard pushed to > find *real* lawyers (instead of the IANAL variant that seems to be > thirteen to the dozen around here) claiming that Red Hat has acted > inappropriately in this instance. The first reaction to anything bad happening is "I'd better call my lawyer?" That's sad. > If you however by "appropriately" mean - "before we know anything, > we'll trample all over evidence, disclose anything and everything, > totally sabotaging any forensic and/or criminal investigation", then I > guess you may be right. Disclosure doesn't sabotage forensic evidence. I can tell you that there is blood on this shoe without having any effect at all on the blood that's on the shoe. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 11:38 PM, Craig White <[EMAIL PROTECTED]> wrote: > On Sun, 2008-08-24 at 15:15 -0600, Frank Cox wrote: >> On Sun, 24 Aug 2008 14:09:53 -0700 >> Craig White <[EMAIL PROTECTED]> wrote: >> >> >> > just curious Frank...if you don't trust Fedora Project people to do the >> > right thing, why are you installing it on any of your computers? >> >> I've been using it for some time and it generally works quite well. >> >> I'm currently engaged in a debate regarding the appropriate level of >> disclosure that should be undertaken in view of an apparent security breach. >> >> My hope is that my contribution to this debate will be beneficial and help to >> provide guidance to the community when formulating an appropriate response to >> the current and any future situations. >> >> Thanks for asking. > > There are circles where my opinion doesn't count and undoubtedly, this > is one of them. Given that Fedora relies upon Red Hat servers for these > things, it's not completely a community issue - in fact, it's clear that > Red Hat has their own interests which trump Fedora's interests. Took awhile to degenerate down to pure RedHat bashing. Not that there is any evidence to support what you're saying here. What a lot of people seem to not get is that of course their opinion counts, but when you present your opinion in a way that seems like purely complaints, it hard to make use of it. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 16:44:08 -0500, Arthur Pemberton <[EMAIL PROTECTED]> wrote: > > Took awhile to degenerate down to pure RedHat bashing. Not that there > is any evidence to support what you're saying here. Saying Fedora's involvement with Redhat might be tied up with why information was not released to the Fedora community in a timely manner, isn't Redhat bashing. > What a lot of people seem to not get is that of course their opinion > counts, but when you present your opinion in a way that seems like > purely complaints, it hard to make use of it. Well right now we aren't being told exactly why we aren't be given appropiate information so it is hard to add more than say what kind of information we expect to be getting. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 21:38:18 -0700 Craig White <[EMAIL PROTECTED]> wrote: > there's a lot of things to deal with and > informing clients - especially when the full extent is unknown is not a > terribly attractive prospect and definitely lower on the priority scale But you weren't standing on a soapbox labelled "community" when this happened. A community leader has different and more extensive responsibilities than an individual or someone who is the leader of a strictly private enterprise. Those responsibilities are to the members of the community. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 12:46:59 -0500, Thomas Cameron <[EMAIL PROTECTED]> wrote: > > is foolish and irresponsible to announce anything about that breach. Had > Paul said "Hey all, we've gotten hacked and we don't know how badly or > how they got in or what the damage is" he'd have been eaten alive, and > rightly so. Instead he took a very reasonable approach, apparently In your opinion? It seems like many of the people in this thread would have liked him to have said something to that effect in the first message. That was not going to damage any ongoing investigation as shutting down the servers was going to tip their hand in any case. It would have given the community some information to act (or not) on. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 22:09:09 +0200, Anders Karlsson <[EMAIL PROTECTED]> wrote: > > You do not need to understand, you just need to accept that this is > the case. In theory at least, Fedora is an open project and we don't have to just accept the status quo. If it isn't actually an open project then it would be nice to know that to as accurate information will help people make better decisions on whether or not to participate in the project. > If you are volunteering to spend all the years in jail on behalf of > those involved in the investigation that you are asking to interfere > in a criminal investigation - I guess that some sort of deal can be > accommodated with the courts. (And yes, I'm taking the piss now as the > discussion is beyond farcical.) Any criminal investigation is unlikely to produce anything worthwhile. While it is probably too late (and because Redhat was involved it might not have been an option) I would have preferred they ditch any criminal investigation in preference to keeping the community informed about what was going on with minimal lag time. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Bruno Wolff III wrote: On Sun, Aug 24, 2008 at 22:09:09 +0200, Anders Karlsson <[EMAIL PROTECTED]> wrote: You do not need to understand, you just need to accept that this is the case. In theory at least, Fedora is an open project and we don't have to just accept the status quo. If it isn't actually an open project then it would be nice to know that to as accurate information will help people make better decisions on whether or not to participate in the project. I think that's reasonable. This is a standard I hold myself at and even my manager to (which I think he appreciates). I can go along with something I don't agree with, but I want to at least know that there is a legitimate reason for the action. In a situation that relies on "volunteers" from the "community", even if it's headed up by a corporation, that expectation is 10 times as valid, because there's no money involved to make it easier to stomach. In other words: Keep it close to the chest and alienate the community, or be open and make the community happy. It's RedHat's choice to make, but it's not one to be made likely and not one to be made without due consideration of the costs involved - and for either choice, there *will* be costs. I think (and it's just my opinion) that most here would simmer down and be content if they were at least sure that RedHat had taken the community into consideration and that there were valid concerns that trumped that. Considering that there are people in the community who put a lot of time and effort into maintaining Fedora, that is, in my mind, an eminently reasonable position. --Russell -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:11 -0600, Frank Cox wrote: > On Sun, 24 Aug 2008 13:19:03 -0700 > Bruce Byfield <[EMAIL PROTECTED]> wrote: > > But that Red Hat acted as it did is not surprising. Just because > > a corporation is open source, it doesn't stop being a corporation. > > But when a corporation claims to be host to a "community", they need to be > called on the carpet by that community when they fail to act appropriately. > Ultimately, of course, there isn't much the so-called community or its > members can do other than either abandon the corporation and go its (their, or > his) own way, but less drastic action like a public ass-kicking can sometimes > have a beneficial effect too. My point is, you can hardly expect a corporation to act as anything except a corporation. Open source corporations exist, but "open source" being used as a qualifier suggests that they are an exception, not the norm, just as "compassionate conservatism" does. Expecting a corporation to act like a community project is simply unrealistic, even when the corporation hosts a community. If, say, Debian acted as Red Hat did, I would be deeply disappointed, because it is completely community-based. The combination of corporation and community embodied in Red Hat/Fedora often works very well on a daily basis, but it's not really surprising that interests should conflict occasionally -- or that, in these circumstances, that actions should be based primarily on corporate needs. As for a "public ass-kicking," if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 11:27:47 -0800, Jeff Spaleta <[EMAIL PROTECTED]> wrote: > I'm going to strongly suggest that if the first draft of such a > transparent process document doesn't attempt to address the > community's perception of what the legal constraints are..but instead > reads as a bald demand for instant disclosure. Then you haven't done > your jobs at creating an useful starting point for a dialogue on the > issue.. and you'll have squandered an opportunity to increase process > transparency. Maybe we need to do something to reduce the legal constraints on the process. At some point perhaps the leadership will be able to explain how legal considerations got entangled with the Fedora part of the breach and we can make some changes to avoid that entanglement in the future. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 16:05:11 -0700 Bruce Byfield <[EMAIL PROTECTED]> wrote: > it's not really surprising that interests should conflict > occasionally -- or that, in these circumstances, that actions should be > based primarily on corporate needs. And it shouldn't be surprising that they are being called on it. > As for a "public ass-kicking," if you really want to do something > effective (as opposed to indulging in self-righteousness), I suggest you > contact Red Hat and Fedora officials directly, not merely vent in > forums. That's what the Fedora Board (or whatever its official name is) is for. They should be front-and-center right now handling the public ass-kicking on behalf of the community. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:42 -0600, Frank Cox wrote: > The first reaction to anything bad happening is "I'd better call my lawyer?" > > That's sad. If you look into American law, you'll see that, as a publicly traded company, Red Hat is required to act in certain ways. So what is sad (or surprising) that, faced with a crisis, the company should call in its lawyers? Its executives hardly want to make the situation worse by neglecting something that they can be held legally liable for later on. In situations like this, you can't really think in terms of how an individual might act. Although the legal fiction is that corporations are people, practically speaking they clearly are not. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Bruce Byfield wrote: As for a "public ass-kicking," if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. Actually, that's not a bad idea. The company I work for has paid subscriptions with RedHat, and we're considering buying a few more for another product that could be lucrative for them. I don't think an inquiry about their security practices are out of line. I'll ping our account rep. tomorrow. --Russell -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 18:04:55 -0500 Bruno Wolff III <[EMAIL PROTECTED]> wrote: > Maybe we need to do something to reduce the legal constraints on the process. > At some point perhaps the leadership will be able to explain how legal > considerations got entangled with the Fedora part of the breach and we > can make some changes to avoid that entanglement in the future. The first step would be a clear, unambiguous and extremely specific and detailed statement of just exactly what the legal constraints are and in what context they are being viewed. Perhaps issues like these would be better dealt with by, for example, a separate non-profit organization that's specifically set up to handle issues related to Fedora servers that's incorporated in Switzerland. Or something else. But without a specific description of the problem it's impossible to provide a solution. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 16:13:17 -0700 Bruce Byfield <[EMAIL PROTECTED]> wrote: > If you look into American law, you'll see that, as a publicly traded > company, Red Hat is required to act in certain ways. Perhaps a long-term solution would be for Fedora servers to be managed by a non-profit corporation that's incorporated in a country other than the US. Where, what and exactly how is left as an exercise for the reader. But there was a call for suggestions and in the absence of real information about the exact nature of the problem, a suggestion as vague as the above is about as good as it's going to get. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 2:23 PM, Russell Miller <[EMAIL PROTECTED]> wrote: > I think (and it's just my opinion) that most here would simmer down and be > content if they were at least sure that RedHat had taken the community into > consideration and that there were valid concerns that trumped that. And how exactly do you propose as a mechanism to 'to be sure' that community was considered? What is it gonna take, having a randomly selected user shadow the CEO every day making sure he's not penning an internal memo that specifically reads "everyone, think of 10 ways to screw the Fedora users today..and have the lists on my desk by 5 pm sharp or you will get docked an hour's pay." The fact that Paul was hired out of the at-large community specifically to be the FPL lead, because he was active in the community, instead of shuffling the deckchairs inside Red Hat doesn't say enough about Red Hat's commitment to community consideration? Paul suddenly became the enemy of community when before he was hired he was its champion? Honestly I don't know of anything more significant than that that a corporate entity can do to show they are committed to the community. There is absolutely no question in my mind that Red Hat thinks about community when its making decisions which impact Fedora. None. Call me a shill if you like. But I'm sitting here outside the fenceline and I'm not going to walk away over this. Did we have a communication problem? Maybe. But communication problems are not equivalent to trust issues.But considering that was a first of its kind event for us as a project, I don't think its necessarily unexpected to see some miscommunication. I don't think any of us, either inside Red Hat or outside had talked through how this sort of thing should be handled. I don't remember a serious public discussion about how to deal with communication of an event like this before having an event like this. And I'm not going to let the assumption stand that to do things differently should have been obvious to those in a position to deal with the information. We aren't going to get anywhere by wringing our hands at how this specific was (mis)handled. Certainly attempting to assign blame towards someone as to miscommunication isn't going to help with the dialogue that should happen to prevent future miscommunication. If people want things to be better, if god forbid something like this happens again, then a serious effort to write a communication process has to be written up and it must be agreeable to legal as a workable process that won't set off any legal liability landmines. -jef"I keep coming back to thinking of Fedora project as a marriage between Red Hat and the community... and in that light comparing it to the day to day workings of my own marriage. Miscommunications happen. What is obvious to one spouse, isn't so to the other. But when I am miscommunicated to, I don't assume it was done out of malice or neglect or a disregard for my feelings. Miscommunications happen because different people have different priorities and thus see things in different ways, its as simple as that. But when it happens, and when its over something that is important to me..which truthfully is pretty much every little thing...then I make the effort to better communicate my own point of view and expectations in a way that is attempts to show sincere interest in better communication. Instead of in a way that is biased with frustration, anger or entitlement...instead of assuming that the other person in the partnership should just automatically know where I'm coming from. In that way I don't think its fair to automatically assume that everyone who Paul has to deal with inside Red Hat automatically 'gets it' when it comes to the needs of the community. Not because they don't believe in the community..but because they focus primarily on the needs of the corporation and so prioritize things differently. And its not going to help Paul make his case if we hammer at this issue from the community side with frustration, anger and entitlement. We have to find a more sincere positive voice to communicate the process we'd like to see, and we have to communicate a process that addresses what we perceive are the roadblocks to disclosure from the corporate point of view. "spaleta -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 17:05 -0600, Frank Cox wrote: > On Sun, 24 Aug 2008 16:05:11 -0700 > Bruce Byfield <[EMAIL PROTECTED]> wrote: > > > it's not really surprising that interests should conflict > > occasionally -- or that, in these circumstances, that actions should be > > based primarily on corporate needs. > > And it shouldn't be surprising that they are being called on it. > > > As for a "public ass-kicking," if you really want to do something > > effective (as opposed to indulging in self-righteousness), I suggest you > > contact Red Hat and Fedora officials directly, not merely vent in > > forums. > > That's what the Fedora Board (or whatever its official name is) is for. > > They should be front-and-center right now handling the public ass-kicking on > behalf of the community. your perception doesn't match mine as I don't see any public ass-kicking...I see a few people speculating about what has occurred and they are projecting their expectations but that doesn't make them meaningful and in fact looks sloppy at this point. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 23:14:40 -0700 Craig White <[EMAIL PROTECTED]> wrote: > On Sun, 2008-08-24 at 17:05 -0600, Frank Cox wrote: > > On Sun, 24 Aug 2008 16:05:11 -0700 > > Bruce Byfield <[EMAIL PROTECTED]> wrote: > > > > > it's not really surprising that interests should conflict > > > occasionally -- or that, in these circumstances, that actions should be > > > based primarily on corporate needs. > > > > And it shouldn't be surprising that they are being called on it. > > > > > As for a "public ass-kicking," if you really want to do something > > > effective (as opposed to indulging in self-righteousness), I suggest you > > > contact Red Hat and Fedora officials directly, not merely vent in > > > forums. > > > > That's what the Fedora Board (or whatever its official name is) is for. > > > > They should be front-and-center right now handling the public ass-kicking on > > behalf of the community. > > your perception doesn't match mine as I don't see any public > ass-kicking... Indeed. That may be part of the problem at the moment. Lack of official advocacy at the highest levels, for lack of a better description. > I see a few people speculating about what has occurred and > they are projecting their expectations but that doesn't make them > meaningful and in fact looks sloppy at this point. Jeff has been promoting the idea that this issue arose due to a "mis-communication". I see it more as a lack of communication. "Something bad happened, let's tell everyone the minimum that we think we can get away with" is not a community process. And that's the point. Fedora is not MS Windows. It's not even RHEL. So why is there an apparent expectation and acceptance of "Caesar shall decide what the plebians shall be told"? -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 17:05 -0600, Frank Cox wrote: > On Sun, 24 Aug 2008 16:05:11 -0700 > Bruce Byfield <[EMAIL PROTECTED]> wrote: > > > it's not really surprising that interests should conflict > > occasionally -- or that, in these circumstances, that actions should be > > based primarily on corporate needs. > > And it shouldn't be surprising that they are being called on it. Actually, it is. While you may not be too happy with the situation, you also need to be realistic. > > As for a "public ass-kicking," if you really want to do something > > effective (as opposed to indulging in self-righteousness), I suggest you > > contact Red Hat and Fedora officials directly, not merely vent in > > forums. > > That's what the Fedora Board (or whatever its official name is) is for. So write the board. Don't waste time here. > They should be front-and-center right now handling the public ass-kicking on > behalf of the community. Why? Because you want them to be? Anyway, they've been dealing with a difficult situation for a week. Possibly, they mishandled it, but I don't begrudge them a day or two to recuperate before plunging back into the action. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 16:11 -0700, Russell Miller wrote: > Bruce Byfield wrote: > > > > As for a "public ass-kicking," if you really want to do something > > effective (as opposed to indulging in self-righteousness), I suggest you > > contact Red Hat and Fedora officials directly, not merely vent in > > forums. > > > Actually, that's not a bad idea. The company I work for has paid > subscriptions with RedHat, and we're considering buying a few more for > another product that could be lucrative for them. I don't think an > inquiry about their security practices are out of line. I'll ping our > account rep. tomorrow. Good for you! I'm sure a post-mortem is part of what is happening at Red Hat right now, so this is a good time for clients to influence Red Hat's policy. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 16:54:28 -0700 Bruce Byfield <[EMAIL PROTECTED]> wrote: > > That's what the Fedora Board (or whatever its official name is) is for. > > So write the board. Don't waste time here. They should be monitoring this mailing list and taking action based on the wishes of the community. That's what community representatives do. Represent the community's views. > > They should be front-and-center right now handling the public ass-kicking on > > behalf of the community. > > Why? Because you want them to be? See the preceding paragraph. That's their role. > Anyway, they've been dealing with a difficult situation for a week. > Possibly, they mishandled it, but I don't begrudge them a day or two to > recuperate before plunging back into the action. Well, it's been a week. How much more time should be allowed before someone says "Hey guys, let's roll it"? -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: > On Sun, 24 Aug 2008 16:13:17 -0700 > Bruce Byfield <[EMAIL PROTECTED]> wrote: > >> If you look into American law, you'll see that, as a publicly traded >> company, Red Hat is required to act in certain ways. > > Perhaps a long-term solution would be for Fedora servers to be managed by > a non-profit corporation that's incorporated in a country other than the > US. Been there done that, tried and failed. Read up on "Fedora Foundation". -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:17:33 -0500 Rex Dieter <[EMAIL PROTECTED]> wrote: > Been there done that, tried and failed. Read up on "Fedora Foundation". Maybe it's time to kick that cat again. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Sun, 24 Aug 2008 19:17:33 -0500 Rex Dieter <[EMAIL PROTECTED]> wrote: Been there done that, tried and failed. Read up on "Fedora Foundation". Maybe it's time to kick that cat again. And what? have history repeat itself? -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:32:29 -0500 Rex Dieter <[EMAIL PROTECTED]> wrote: > And what? have history repeat itself? Possibly. Or maybe now there is more of an incentive or imperative with a real-life example to point to. Or again, not. On the other hand, there may easily be better solutions available to solve this problem. Unfortunately, nobody has suggested one as far as I'm aware. It seems that we don't even have a consensus that there is a problem. That should probably be dealt with as a first step. 1. Determine that there is a problem. 2. Define the problem. 3. Solve the problem. We appear to be somewhere around step 1 at the moment, and it's now a full week (plus) after the event. This alone indicates that there's a problem. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Sun, 24 Aug 2008 19:32:29 -0500 Rex Dieter <[EMAIL PROTECTED]> wrote: And what? have history repeat itself? Possibly. OMG. Please read about the history there, before posting uninformed followup comments. Please. Srsly. -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:52:07 -0500 Rex Dieter <[EMAIL PROTECTED]> wrote: > OMG. Please read about the history there, before posting uninformed > followup comments. Please. Srsly. Ok... if that's out, what's your suggested solution? That was the best idea that I could come up with in the current vacuum and I haven't seen a better one so far, as I said. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Sun, 24 Aug 2008 19:52:07 -0500 Rex Dieter <[EMAIL PROTECTED]> wrote: OMG. Please read about the history there, before posting uninformed followup comments. Please. Srsly. Ok... if that's out, what's your suggested solution? A "solution" implies there's a problem, for which, imo, there isn't one. ymmv. My best take/advice: Legal issues simply suck. That's life. deal. -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Jeff Spaleta wrote: Did we have a communication problem? Maybe. You make it sound like it was something in the past. Does anyone know yet whether or not the intrusion was due to a software vulnerability in code we are all running? More relevant, does someone know this when the rest of us still don't? -- Les Mikesell [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 4:23 PM, Frank Cox <[EMAIL PROTECTED]> wrote: > On Sun, 24 Aug 2008 19:17:33 -0500 > Rex Dieter <[EMAIL PROTECTED]> wrote: > >> Been there done that, tried and failed. Read up on "Fedora Foundation". > > Maybe it's time to kick that cat again. No... as a sitting community elected board member. I am not going to waste time into looking into the Foundation again. Max Spevack did a complete summary as to why the Foundation structure won't work for the day to day operation of Fedora in 2006. Any credible discussion would have to address the issues communicated then. From my point of view nothing material have changed since 2006. If you want to waste your time talking about it... feel free... but don't expect me or any sitting Board member to pay much attention to simple opinionating, after a significant amount of legwork was done to prepare for a Foundation structure only to discover the legal requirements for certify non-profit status would be quite difficult to meet for this project. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 17:08:42 -0800 Jeff Spaleta <[EMAIL PROTECTED]> wrote: > as a sitting community elected board member. As a sitting community representative, what action, other than sitting, have you taken to deal with the current lack of information distribution? The community is still largely in the dark, as you are well aware. Have you been raising this issue at the highest levels (raising the issue, raising hell, raising cain) and getting things done? What representations have you made on behalf of the Fedora community with regard to this matter? With whom? With what results? What's your next step? The step after that? Where do you see things going from here? Are further meeting planned? When? What's on the agenda? There are other highly relevant questions that could also be asked, but these will provide a starting point for further discussion. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 21:38 -0700, Craig White wrote: > there's a lot of things to deal with and informing clients - > especially when the full extent is unknown is not a terribly > attractive prospect and definitely lower on the priority scale > than auditing the problem and obviously fixing the problem. I think most of us were more peeved about not getting a *clear* warning, promptly, and wanting to know whether it really was a safety issue (do not download) or just broken servers (downloads may fail). The how and what actually happened could have come out later on. If it turned out that *because* of a lack of good warning, when a good warning could have been given out, that boxes got compromised all over the planet, you'd find users really pissed off and leaving in droves, and Red Hat and Fedora with a shattered reputation. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 20:48:13 -0600 Frank Cox <[EMAIL PROTECTED]> wrote: > On Sun, 24 Aug 2008 17:08:42 -0800 > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > as a sitting community elected board member. > > As a sitting community representative, I see that this sounds a bit hostile and I had not intended it to be. I think it's definitely in order that, in the absence of other information, the community representative provide a comprehensive report to the community regarding the current situation with all relevant information, and his role in it to date, as well as his future plans in that regard. That would provide an opportunity for the community (that would be the rest of us here) to give him guidance as to where we wish to go from here. That's my point. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:13 -0800, Jeff Spaleta wrote: > communication problems are not equivalent to trust issues. To many, they are. > considering that was a first of its kind event for us as a project, I > don't think its necessarily unexpected to see some miscommunication. I > don't think any of us, either inside Red Hat or outside had talked > through how this sort of thing should be handled. I seem to remember the documentation that came with Red Hat Linux having a whole section dedicated to risk management and planning a policy for it. I can well imagine a bunch of Fedora volunteers might have been unprepared for disaster management, but the commercial side of Red Hat certainly shouldn't be. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 2008-08-25 at 12:30 +0930, Tim wrote: > On Sun, 2008-08-24 at 21:38 -0700, Craig White wrote: > > there's a lot of things to deal with and informing clients - > > especially when the full extent is unknown is not a terribly > > attractive prospect and definitely lower on the priority scale > > than auditing the problem and obviously fixing the problem. > > I think most of us were more peeved about not getting a *clear* warning, > promptly, and wanting to know whether it really was a safety issue (do > not download) or just broken servers (downloads may fail). The how and > what actually happened could have come out later on. > > If it turned out that *because* of a lack of good warning, when a good > warning could have been given out, that boxes got compromised all over > the planet, you'd find users really pissed off and leaving in droves, > and Red Hat and Fedora with a shattered reputation. I fully expect that the reason that they took the system off-line 10 days ago was a clear indication of their doubt of the sanctity of the packages and they didn't put it back online until they felt that they felt that they knew the extent of the compromise. Let's be real here...there have been instances when viruses and other compromised code has been distributed, even in shrink wrapped proprietary software and we all have expectations of best efforts and if someone feels that best efforts aren't being given, then they should find another Linux distribution. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 21:03 -0600, Frank Cox wrote: > On Sun, 24 Aug 2008 20:48:13 -0600 > Frank Cox <[EMAIL PROTECTED]> wrote: > > > On Sun, 24 Aug 2008 17:08:42 -0800 > > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > > > > as a sitting community elected board member. > > > > As a sitting community representative, > > I see that this sounds a bit hostile and I had not intended it to be. I think that you are coming off as petulant but Jeff can defend himself. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 25 Aug 2008 03:14:16 -0700 Craig White <[EMAIL PROTECTED]> wrote: > I think that you are coming off as petulant but Jeff can defend himself. And therefore your purpose in writing this to was... ? (Sorry, but I really don't understand the point you're attempting to make here. It seems internally inconsistent, and it's only one sentence long.) -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 7:04 PM, Tim <[EMAIL PROTECTED]> wrote: > On Sun, 2008-08-24 at 15:13 -0800, Jeff Spaleta wrote: >> communication problems are not equivalent to trust issues. > > To many, they are. Those people are wrong, and will be utterly useless in any process which aims to correct miscommunication in the future. If you are anyone else is intent on equating miscommunication with mistrust then you need to refrain from participating in whatever process develops to address that miscommunication. We are not going to have a successful dialogue over the issue of adequate disclosure if the people coming to the table mistrust each other. If the communication process can be improved by bridging the gap between corporate and community priorities its only going to be done by people who can sit down and trust and listen to what the other people are saying. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 6:48 PM, Frank Cox <[EMAIL PROTECTED]> wrote: > As a sitting community representative, what action, other than sitting, have > you > taken to deal with the current lack of information distribution? The > community > is still largely in the dark, as you are well aware. Have you been raising > this issue at the highest levels (raising the issue, raising hell, raising > cain) and getting things done? I see no reason to raise hell. I see an opportunity for people to come together to draft a new communication process where one has not existed before. One that all the stake holders can agree to abide by. I've said as much to the Board and its why I am in this thread... specifically challenging community members to take a stab at drafting a process document. I am sure as hell not going to be the one drafting the document. I will facilitate the discussion and will nudge people in the right direction but I expect community people with a background with dealing with these sort of security issues to step up and lead an effort to create an incidident communication process. If people in the community don't step up and make a conscientious effort to put an incident communications policy in place.. then its not going to happen. > > What representations have you made on behalf of the Fedora community with > regard to this matter? My calls to the president of the united states have so far gone unanswered..but I'll keep at it. >With whom? With what results? What's your next step? > The step after that? Where do you see things going from here? Are further > meeting planned? I've had no formal meetings on this matter. In my capacity as a Board member I have no received any more information with regard to the incident than has been made public in the announcements. What has been deemed to be made public has been made public. I do not know why the announcements were worded the way they were and I'm not going to get sucked into petty speculating on the matter. What I am here to do is knock some sense into everyone who has been rattled by how the communication has unfolded. We do not have a Fedora specific incident communication policy in place...and as far as I know its never ever come up for discussion as part of community chit-chat as to expectations on how to handle the disclosure in these sorts of situations. Not even our own community conspiracy theorists have put this sort of situation up as a doomsday scenario in the past afaict. Until we have a documented incident communication process in place, that legal is okay with, none of us have a right to expect incident communication to be handled better than it has been. If I had a process document in place, that specifically stated that the FPL was to inform the board members ASAP as to all details of infrastructure breaches, I'd be seriously pissed about how things have unfolded and I'd be in his face in the Board meetings about it. But I don't have the process document that sets the bar as to disclosure expectations.. that document does not exist. Without those established expectations on how this is to be handled I'm mature enough to give people the benefit of the doubt as things unfold. Because I know, they are making the best effort at dealing with an unlooked for and unexpected problem. So I'm not going to go around beating up Paul or anyone else who had to make a judgement call, or anyone who relied on Red Hat corporate process during the initial response..or even now. The only way forward is to establish a Fedora specific incident communication process. So next time this happens..we all know exactly what to expect in terms of communication and disclosures. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:37:02 -0800 Jeff Spaleta <[EMAIL PROTECTED]> wrote: Unfortunately, while a policy for future incidents would be nice, I don't set it as a priority item at this time. When your house is burning down, you don't send out a rfq for fire sprinkler systems. At the moment, the major issue at hand is the current situation. Specifically, the lack of information that's been provided regarding the same. As a community representative, you should (in my opinion) be on top of whoever is making the disclosure decisions with several pertinent questions: 1. What's holding up the disclosure, specifically and in detail? 2. When can we expect the disclosure to be made? 3. What can the community do to move this process along? Upon receipt of the answers you should post them to the mailing list and ask for ideas and guidance from the community as to the next steps that they (we) would like you to undertake. It's not unreasonable to expect a comprehensive report and request for feedback from a representative to the constituents whom he represents. To some degree, you have attempted to do this. Unfortunately your focus is on the next time, not the current situation. It's nice to plan for next time, but we're still dealing with this time. And it's currently unresolved and outstanding. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 7:39 PM, Frank Cox <[EMAIL PROTECTED]> wrote: > On Sun, 24 Aug 2008 19:37:02 -0800 > Jeff Spaleta <[EMAIL PROTECTED]> wrote: > > Unfortunately, while a policy for future incidents would be nice, I don't set > it as a priority item at this time. When your house is burning down, you > don't > send out a rfq for fire sprinkler systems. Oh you've taken Apocolaptic Allogories 101? I took advanced Rhetorical Rhetoric. This should be fun. I also do not stand in the way of the fire fighters and asking them questions as to what's happening while they are putting the fire out. Nor do I do it to the fire investigators who poke around in the ashes trying to figure out whats wrong. And last time I set a house on fire, it took weeks for the fire department to confidently determine that it was arson...and that was just a house fire.When I blew up that chemical plant that one time, it took months to finally determine the cause. I doubt there's much here for me to add. I do not have any details as to the current sutation. I am not one of the fire fighters nor am I one of the fire investigators. I am just one of the City Council members who need to make sure the fire fighters and fire investigators are following documented procedures with regard to how to communicate to the public. And if they don't have those procedures, I back their asses up when they have to make a judgement call. I've pointed where I think constructive conversation should go. If you don't want to be a part of that conversation, that's perfectly okay with me. In fact I'm thrilled by the fact that you don't see the policy need as a priority. Hopefully that means you'll keep your noise out of it while more experienced people work on it. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 21:39:40 -0600, Frank Cox <[EMAIL PROTECTED]> wrote: > > At the moment, the major issue at hand is the current situation. > Specifically, > the lack of information that's been provided regarding the same. I think the key stuff is out now. It has been stated that there does not appear to be any trojaned rpms for Fedora. Some information on the attack vector could be useful. If the leadership is aware of a particular application vulnerability or if it is known that the attack wasn't made through a vulnerable (other than misconfigured) application, then that information would be nice to know. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, Aug 25, 2008 at 12:34:38 +0930, Tim <[EMAIL PROTECTED]> wrote: > > I can well imagine a bunch of Fedora volunteers might have been > unprepared for disaster management, but the commercial side of Red Hat > certainly shouldn't be. Redhat is going to want to handle incidents like this differently than what I expect Fedora to do. I suspect that Redhat's procedure is what was used in this case. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 23:25:18 -0500 Bruno Wolff III <[EMAIL PROTECTED]> wrote: > Redhat is going to want to handle incidents like this differently than what > I expect Fedora to do. I suspect that Redhat's procedure is what was used > in this case. I think it is beyond question that Fedora's reputation (if nothing else) has been damaged by this incident. Red Hat's response has not done much to mitigate that damage and may have actually increased it. Regardless of whether you are in favour of their response or opposed to it, or even somewhere in between, the mere fact that this debate is being held makes that point self-evident. This needs to be brought home to the Red Hat management, and that's where the community representative's role comes in. We're here debating this issue. How many others are reading about this issue and saying, "I'll look elsewhere". It's unfortunate and much of this fallout was actually avoidable. Nobody here wishes Fedora any ill. If we did, we wouldn't be here. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
