LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

What happened with Fedora - and Red Hat too

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 14:18 UTC (Fri) by smoogen (subscriber, #97)
In reply to: What happened with Fedora - and Red Hat too by Trou.fr
Parent article: What happened with Fedora - and Red Hat too 

It will probably take a bit of time. A breach of a publically traded company will be
investigated by various US Federal law enforcement and possibly other agencies(not sure if the
stock people have to look).. those agencies will put a legal clamp on releasing any
information until their investigation is done and they are sure that releasing the information
will not damage their investigation or possible future court case. 

That basically means that Red Hat/Fedora can't say anything without getting an ok from their
legal who has to get an ok from the various investigating groups who will have to co-ordinate
with each other to give an ok. 

[phew...]

(Log in to post comments)

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 14:29 UTC (Fri) by NAR (subscriber, #1313) [Link]

I guess Fedora is not a publicly traded company, so information about the Fedora server compromise should not be under any legal clamps of this type...

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 14:36 UTC (Fri) by smoogen (subscriber, #97) [Link] 

Fedora is funded (systems, hardware, bandwidth, etc) by Red Hat, and is considered under
United States and most International law to be a part and parcle of Red Hat, Inc.

Yes, AFAIK Fedora is legally under Redhat Inc.

Posted Aug 23, 2008 11:59 UTC (Sat) by darwish07 (subscriber, #49520) [Link]

Yes. This is also the reason of my inability to use Fedora.

Being in the middle east, it's said in the Installation license agreement that you can not use Fedora if you're in one of the US prohibited countries (Syria and others).

This implies that Fedora is considered part of Redhat Inc. under the US law.

I have not used Fedora since about 3 years, but I remember very well this kind of restriction of fedora usage those days and I don't know if they still exist or not.

Yes, AFAIK Fedora is legally under Redhat Inc.

Posted Aug 23, 2008 15:03 UTC (Sat) by smoogen (subscriber, #97) [Link]

It would not matter if Fedora was a part of Red Hat or not.. Its more whether Fedora is based inside of the United States or not. Any organization inside of the United States is bound by the same laws (whether or not they follow them.)

State of projects controlled by US-based organizations

Posted Aug 23, 2008 15:41 UTC (Sat) by darwish07 (subscriber, #49520) [Link]

You seem right again ;-). I've checked the license agreement of Firefox-3 (the license window that appears after the first use) and it has the same set of restrictions. It's the first time I notice such restriction.

One has to wonder if this applies to the source code or to the pre-compiled binaries only.

State of projects controlled by US-based organizations

Posted Aug 23, 2008 15:45 UTC (Sat) by smoogen (subscriber, #97) [Link]

The laws cover both source code in electronic format and binaries. If you can find it, read up on the history of the original internation PGP implementations. Basically, since paper-printed are not covered under this law as they are considered 'freedom of the press'... the source code was published and brought to various countries where it was hand typed back in.

State of projects controlled by US-based organizations

Posted Aug 23, 2008 22:00 UTC (Sat) by darwish07 (subscriber, #49520) [Link]

Very nice information indeed. Thank you!

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 14:49 UTC (Fri) by jreiser (subscriber, #11027) [Link] 

"A breach of a publically traded company will be investigated ..."  That opinion is
optimistic.  Every year there are quite a few breaches of publicly traded companies that are
not detected or not reported.  Not reporting a breach that has been detected is a violation of
applicable regulations, but there are dummies or crooks at that stage, too.

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 19:00 UTC (Fri) by rahvin (subscriber, #16953) [Link] 

It's assumed that given the information that RedHat picked up the phone and called the FBI
(who handles computer crime cases). Once that phone call is made Redhat will be "asked" to not
release any information that would interfere with the investigation. 

Any breach where the Fed's don't get involved is a breech that wasn't reported to the Fed's.
Personally I wouldn't trust any company that doesn't call the cops when their business is
broken into, whether physical or informational.

What happened with Fedora - and Red Hat too

Posted Aug 23, 2008 4:21 UTC (Sat) by sbergman27 (guest, #10767) [Link]

You forgot to mention internal worry about Red Hat's possible liability in the matter. No need to invoke the FBI, the CIA, and the SEC. 'Twas probably terrorists that done it, though...

What happened with Fedora - and Red Hat too

Posted Aug 23, 2008 22:48 UTC (Sat) by smoogen (subscriber, #97) [Link]

Every place I have dealt with where internal worry comes up... you would not have seen the servers locked down and 'closed' off. They would have taken a couple of the 'bad' ones down "for maintenance", rebuilt them and gone on their way without any notification. Then when the information got out somehow, it would have been first denied and then sullenly admitted.

[You seem to have a tendency to make everything into the worst case for Red Hat. Why is that?]

What happened with Fedora - and Red Hat too

Posted Aug 24, 2008 18:40 UTC (Sun) by sbergman27 (guest, #10767) [Link]

"""
[You seem to have a tendency to make everything into the worst case for Red Hat. Why is that?]
"""

You are misjudging my position. Red Hat is an excellent example of a sane and pragmatic company which has not become so jaded, self-absorbed, and preoccupied with short term trivialities, not to see the big picture. But they are not going to blurt out information that could land them in court, damage them, their shareholders, their sizable market cap, their reputation, etc. as long as it can be avoided. It's the difference between being a smart and pragmatic company that does a lot of good, and being a saint.

I don't paint Red Hat as being saintly, and some people choose to interpret that as negativity. I use Red Hat derived distros almost exclusively in my consulting work, though I now use Ubuntu on my own desktop. (RHEL and CentOS just 'click' for business use.) I do tend to be critical of Fedora. But that is because, in my opinion, there is more to be critical about when it comes to recent Fedora releases. (I begin to see this on servers that have to handle more than about 16 simultaneous desktops. Not so much on the smaller ones. But the problems are embarrassing.) Other than that the software versions are not cutting edge, it is extremely hard for me to come up with anything critical to say about RHEL and CentOS. If you look at my overall posting history regarding Red Hat, rather than focusing upon those pertaining to this 'infrastructure issue', I think you will see that I am actually a big Red Hat fan. Just without being a *fanboy*.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds