Full disclosure [LWN.net]

Full disclosure

Posted Aug 17, 2008 4:05 UTC (Sun) by dwheeler (guest, #1216)
Parent article: An update on Fedora's "issues"

One of primary reasons many people switched to full disclosure was that when vulnerability reporters told vendors, "You have a serious problem", the vendors would try to gag the reporter, pretend there was no problem, and avoid doing anything to fix it.

That is not what seems to be happening here. There are no reports as to whether this is a security problem or not (they may not know!), but clearly they are not trying to pretend there is no problem, and they seem to be working hard to fix it.

"Full disclosure" has its own problems. The big problem with full disclosure is that if the attack isn't already known publicly, it creates a window of time where users often cannot protect themselves effectively (because no fix is available), yet attackers who wouldn't have known about the vulnerability otherwise can now use it. I think you ought to give the supplier a short time to fix the problem, unless or until the supplier has demonstrated an unwillingness to react quickly on security vulnerability reports. At which point, full disclosure may very well be necessary, since it's hard to know when attackers will find the vulnerability... so at that point it's best to provide customers with that information. Since Fedora does not seem to be pretending there's no problem, I don't think a call for full disclosure is necessary; it would just expose its users unnecessarily.

I realize that some people think full disclosure is the one true way, and whatever I say is unlikely to change their minds. But I think there are two modes, "full disclosure" and "delayed disclosure". The latter is often called "responsible disclosure", but I hate that phrase; if the supplier persists in ignoring security issues, then long-delayed reporting is actually irresponsible. I think it's better to select modes for each vendor, depending on how well they respond to vulnerability reports.

So please, I think we should cut Fedora a break. They seem to be trying to do the right thing, instead of ignoring a problem of some kind.

(Log in to post comments)

Full disclosure

Posted Aug 17, 2008 7:48 UTC (Sun) by fatherted (subscriber, #33354) [Link]

i think they CAN'T pretend there is no problem, given that everything they've got is/has been
down.

the problem is the secrecy.  that's really been the fedora way ever since the beginning -- a
small in-bunch, and then the rest of us unwashed masses.

its very hard to trust when secrecy is all that seems to happen with them.

if it weren't a security issue, it would have been easy to say something about the problem.
if it is, then all the unwashed masses need to know if we're affected or not.

seems to me that fedora has very much not earned much credibility.  and has mostly lost what
little it had because of the way this is being handled.

Full disclosure

Posted Aug 17, 2008 9:55 UTC (Sun) by tajyrink (subscriber, #2750) [Link]

One cannot judge them before the details are known. Of course more knowledge would be nice,
but it may be the best way the situation could be handled is being done.

I think this is a bit same than around here (probably everywhere) when there is some tragic
accident, some people always shout that "people need to know!!" just because they are curious
and want to read everything terrible from tabloids, even though actually minimizing the
tragedy and trying to investigate could rather need secrecy.

If they do not know the exact problem, and have a reason to believe hostile people could
theoretically do something bad if they would let some non-full knowledge to the public,
secrecy is the only way to try to minimize risks.

If it turns out more information should have been let out earlier to minimize risks, then they
chose wrong. Let's see.

Full disclosure

Posted Aug 17, 2008 12:59 UTC (Sun) by salimma (subscriber, #34460) [Link]

Your judgment seems rather harsh. Pre-existing anti-Red Hat bias? The Fedora project is
actually one of the more openly-run community Linux distributions -- apart from Debian, I'm
hard-pressed to name another project that is as open to community input (and in fact, it is
easier to become a Fedora contributor than to be a Debian developer).

As others have said, this is probably a Fedora-specific vulnerability. If it affects no other
service providers, and Fedora has warned its users not to use their services from the time
being, how is a full disclosure the more responsible thing to do? You'd be providing more
information about possible attack vectors, without any legitimate use.

Disclaimer: I am a Fedora contributor myself

Full disclosure

Posted Aug 17, 2008 9:07 UTC (Sun) by gdt (subscriber, #6284) [Link]

So please, I think we should cut Fedora a break. They seem to be trying to do the right thing, instead of ignoring a problem of some kind.

You've ignored why full disclosure is important to system administrators. Full disclosure allows system owners to make their own assessment of the risk of subversion of their fielded computers. Red Hat has not made any statement about risk beyond "as a precaution, we recommend you not download or update any additional packages on your Fedora systems".

That's a fine initial request. But enough time has passed for more information about the risk to fielded systems to have been produced. Starting with the date of the suspected subversion of Fedora's systems. That would at least indicate to system administrators the date from which all IDS logs, NetFlow data and so on should be retained for future analysis if needed. A high-security site might well choose to turn off all Fedora systems updated after that date until more information becomes available.

Hopefully soon we will also be told if recently-updated Fedora systems should be treated as compromised or not, if the risks are equivalent for Fedora 8 and 9, and so on.

What about mirror sites, should they be preventing access for Fedora updates downloaded after a particular date to lessen the risk to their clients? With the current dearth of information, they can't make a decision.

If this had just occurred, then I'd say "yes, give them a break, give them time to work the problem". But enough time has now passed and the most recent "information" provided was just pathetic.

Full disclosure

Posted Aug 17, 2008 13:17 UTC (Sun) by cmc (subscriber, #16767) [Link]

The official word so far is no. There is a (closed) mailing list for mirror admins that is used to keep us apprised of various issues related to mirror maintenance. If there was some issue that required the mirrors to be shut down, they would say so. Of course they can't force compliance, but they could remove or replace material on the masters and those removals would trickle down to most regularly updated mirrors unless their maintainers took special steps to retain that material.

Full disclosure

Posted Aug 17, 2008 20:23 UTC (Sun) by danieldk (subscriber, #27876) [Link]

Of course they can't force compliance, but they could remove or replace material on the masters and those removals would trickle down to most regularly updated mirrors unless their maintainers took special steps to retain that material.

They can kinda force it, since most people use yum with (Fedora-provided) mirrorlists. If necessary, they could just remove unwanted mirrors from the mirrorlist. In fact, CentOS automatically returns mirrors close to the machine location (according to GeoIP), and leaves out mirrors that are not in sync.

Full disclosure

Posted Aug 17, 2008 14:50 UTC (Sun) by ofeeley (subscriber, #36105) [Link]

Red Hat has not made any statement about risk
Don't expect any statement from Red Hat. Fedora is governed and administered by the Fedora Project Board of which Paul Frields is the chair and Fedora Project Leader. We've already had two statements from him as reported here and while they don't contain a lot of information I think we can assume that its as much as can be said right now. Although Red Hat contributes generously and strongly to the Fedora Project it would be inappropriate for them to make any statement about this independent (albeit with very strong ties) project.