Ubuntu, security response, and community contributions

"Yes, they used work done by others - Debian, RedHat, etc without contributing much software,
but so what ? This is what free software is about. There is nothing immoral or unethical what
Ubuntu is doing!"

Let's be very very clear.  There is a distinct different between the Community of Ubuntu users
and developers... and Mark Shuttleworth and Canonical.  As much as Shuttleworth would want to
blur the distinction so that he can wrap him statements up in the goodwill of the Ubuntu
community concept to armor them from criticism he does so at the expense of the Ubuntu
community.

The problem is not the Ubuntu community, the problem is Mark Shuttleworth, is making some very
aggressive statements that are quite simply.. over-reaching..and not properly supported.  He's
burning goodwill with upstream projects in doing so.  

This vulnerability response statement is just the latest example. And I think its perfectly
appropriate that people start asking him why his company has not invested in a transparent
vulnerability reporting process for Ubuntu users... but is instead relying on unnamed
independent studies to bolster statements to the press.  It doesn't have to be like Red Hat's,
but shouldn't Ubuntu LTS users have something in the same general shape? I think that's a
perfectly reasonable sort of question for Ubuntu users to ask of Shuttleworth and Canonical.

But he's made other high profile statements..to the press and to the public..aggressive
statements, which challenge and undermine the processes and work that upstream projects are
using.  Statements about hardware support and about syncing with upstream development to match
Canonical's business interests have been high profile challenges that simply have not been
backed up by his company's own actions..a lack of engaging the upstream projects and to help
them do better before going to the press with the idea.  

I feel somewhat bad for the Canonical engineers who are engaged with upstream. Shuttleworth is
actually de-valuing what they are doing by making public statements which are out of
proportion with the development work they are doing.  He really needs to let those engineers
lead these sorts of discussions as part of upstream project conversations.  I wonder if he can
do that, take a backseat to the engineers in public facing conversations. Maybe he just
doesn't understand the value of restraint.

Are the things Shuttleworth has made headlines for recently things that Canonical can drive
sustainable development for? I think active community Ubuntu users need to really ask
Shuttleworth and Canonical in general some very hard questions concerning sustainability of
the work they are doing under the Ubuntu brand.  

I believe that Debian as a community reached a sustainable level of development based on the
available resources, and that Debian as a project is going to have a long successful career
serving a specific purpose.  It might be frustration in some respects, but I believe they've
built a sustainable process.  I'm not so sure Canonical has.

It's an outstanding question, whether Canonical through the creation of the Ubuntu community
has enough resources to sustain the perceived growth happening in the Ubuntu uptake.  Is
Canonical overreaching beyond its own engineering capabilities with its Ubuntu OEM deals? Is
it overreaching with its Ubuntu LTS edition? What happens to Ubuntu if the answer is yes?
Supporters of Canonical admit that they don't have the staffing commitment of Red Hat to
directly support upstream development in the say way. If that is so, then shouldn't all these
sorts of engineering initiatives from Canonical scare the crap out of you as a Ubuntu
community member because it continues to spread engineering resources even thinner?  How
transparent is Canonical's business plans as it relates to your volunteer commitment and needs
as a Ubuntu community member?  Like I said, I think Ubuntu community members need to be a bit
more critical of Canonical and Shuttleworth.

-jef