a terse announcement
On August 14, Fedora leader Paul Frields sent out
"an issue in the infrastructure systems" supporting the project. This
"issue" could lead to some service outages, for which he apologized. Also
included in the note was this ominous warning:
We're still assessing the end-user impact of the situation, but as
a precaution, we recommend you not download or update any
additional packages on your Fedora systems.
As this article is written (August 20, just barely in time for the LWN
weekly publication deadline), there have been a couple of uninformative
updates, but the situation persists and nobody seems to know what is really
going on. The Fedora team, it would seem, is quite good at keeping secrets
when the need arises. As a result, Fedora users worldwide have spent
almost a full week wondering what has happened and whether they need to be
worried about it.
In such a situation, there is a delightful amount of space for wild
speculation. Your editor does not usually start his drinking binge until
after publication, but, for the purposes of interpreting the following, one
should assume that it was already well underway. This "issue" could be
explained by any of the following:
- Maybe a Fedora developer - on a drinking binge of his own, perhaps -
tripped over a power cord. The resulting mess not only deprived
an important server of power, but said developer, on his way toward
the floor, managed to take the entire rack down with him. Ever since,
the infrastructure team has been trying to reassemble a set of working
systems from the rubble.
- Last month, Fedora slipped a small patch into gcc designed to ensure
that the results from the most recent board election - where one slot
went to a candidate who was not a Red Hat employee - would never be
repeated. But the patch was botched, and most mathematical operations
in gcc-compiled programs have been returning random numbers ever since.
Now the Fedora team is trying to quietly replace the broken binaries
before anybody notices.
- It turns out that the rights to the Fedora name had never actually
been secured, and the real owner got an injunction shutting the
project down. As soon as all the branding has been changed, Fedora
will be reborn as Leopard-Skin Pillbox Hat Linux. Just wait until you
see the new desktop themes.
- The package signing key has been compromised, as have the build
servers. For the last six months, every version of Firefox shipped
by Fedora has reported account names, passwords, and credit card
numbers to a server located on a ship in international waters near
Colombia. The openssh client has been similarly modified. The Fedora
team has been slow to get an explanation out because it takes time to
relocate your home and family to an undisclosed location on a
- A vulnerability in RPM has enabled the creation of a large ecosystem
of hostile mirrors operated by competing criminal groups. Most Fedora
users have been installing compromised updates for the last year or
- No less than three Fedora system administrators turned out to be the
type of people who will give out
their password for a bar of chocolate. The provider of sweets
really only wanted to fix the longstanding claws-mail dependency
problems in Rawhide, but the project hit the panic button anyway.
- The Fedora team simply wanted to take a vacation in an undisclosed
location on a different continent and didn't want to deal with a bunch
of email on their return.
The real point of this being, of course, that none of us know what is going
on, creating a situation described by Alan
Cox as "leaving people in the dark assuming the worst - a very bad
way to create long term trust." Distributors occupy a crucial part
of our ecosystem; they absolutely need to have the trust of their
users. There is just too much that can go wrong at that level.
One can only assume that something fairly serious has happened. By all
accounts, the Fedora team has been working flat-out to get things resolved
as quickly as possible; they seem to be doing an exceptional job under a
great deal of pressure. They have undoubtedly earned a big round of thanks
- and lots of beers - from the Fedora community as a whole.
But Fedora's leadership appears to have failed here. If Fedora users need to be
concerned about the software running on their systems, they should have
been told by now. If they can relax and stop worrying, they should have
been told that as well. Instead, the Fedora user community has been left
wondering for nearly a week while the infrastructure they count on is torn
down and rebuilt from the beginning. Given that, Fedora users have shown a
tremendous amount of patience and restraint; the user community clearly has
a high degree of confidence in the project in general, and has been willing
to wait until the project is ready to come clean.
To retain that confidence, the Fedora project will have to tell the full
story in a clear manner - and sooner would certainly be better. A good
explanation of why Fedora users were made to wait so long before hearing
anything about how this "infrastructure issue" affects them will also be
needed. Fedora users are concerned about what has happened so far, but
their real response will be determined by what Fedora does next.
to post comments)