| |||||||||||||
|
| |||||||||||||
Full disclosureFull disclosurePosted Aug 17, 2008 9:07 UTC (Sun) by gdt (subscriber, #6284)In reply to: Full disclosure by dwheeler Parent article: An update on Fedora's "issues"
So please, I think we should cut Fedora a break. They seem to be trying to do the right thing, instead of ignoring a problem of some kind. You've ignored why full disclosure is important to system administrators. Full disclosure allows system owners to make their own assessment of the risk of subversion of their fielded computers. Red Hat has not made any statement about risk beyond "as a precaution, we recommend you not download or update any additional packages on your Fedora systems". That's a fine initial request. But enough time has passed for more information about the risk to fielded systems to have been produced. Starting with the date of the suspected subversion of Fedora's systems. That would at least indicate to system administrators the date from which all IDS logs, NetFlow data and so on should be retained for future analysis if needed. A high-security site might well choose to turn off all Fedora systems updated after that date until more information becomes available. Hopefully soon we will also be told if recently-updated Fedora systems should be treated as compromised or not, if the risks are equivalent for Fedora 8 and 9, and so on. What about mirror sites, should they be preventing access for Fedora updates downloaded after a particular date to lessen the risk to their clients? With the current dearth of information, they can't make a decision. If this had just occurred, then I'd say "yes, give them a break, give them time to work the problem". But enough time has now passed and the most recent "information" provided was just pathetic.
(Log in to post comments)
Full disclosure Posted Aug 17, 2008 13:17 UTC (Sun) by cmc (subscriber, #16767) [Link] What about mirror sites, should they be preventing access for Fedora updates downloaded after a particular date to lessen the risk to their clients? With the current dearth of information, they can't make a decision. The official word so far is no. There is a (closed) mailing list for mirror admins that is used to keep us apprised of various issues related to mirror maintenance. If there was some issue that required the mirrors to be shut down, they would say so. Of course they can't force compliance, but they could remove or replace material on the masters and those removals would trickle down to most regularly updated mirrors unless their maintainers took special steps to retain that material.
Full disclosure Posted Aug 17, 2008 20:23 UTC (Sun) by danieldk (subscriber, #27876) [Link] Of course they can't force compliance, but they could remove or replace material on the masters and those removals would trickle down to most regularly updated mirrors unless their maintainers took special steps to retain that material. They can kinda force it, since most people use yum with (Fedora-provided) mirrorlists. If necessary, they could just remove unwanted mirrors from the mirrorlist. In fact, CentOS automatically returns mirrors close to the machine location (according to GeoIP), and leaves out mirrors that are not in sync.
Full disclosure Posted Aug 17, 2008 14:50 UTC (Sun) by ofeeley (subscriber, #36105) [Link] Red Hat has not made any statement about riskDon't expect any statement from Red Hat. Fedora is governed and administered by the Fedora Project Board of which Paul Frields is the chair and Fedora Project Leader. We've already had two statements from him as reported here and while they don't contain a lot of information I think we can assume that its as much as can be said right now. Although Red Hat contributes generously and strongly to the Fedora Project it would be inappropriate for them to make any statement about this independent (albeit with very strong ties) project.
|
|
||||||||||||