LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Fedora-Red Hat Crisis (Datamation)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 10, 2008 23:05 UTC (Wed) by BrucePerens (subscriber, #2510)
In reply to: The Fedora-Red Hat Crisis (Datamation) by rahvin
Parent article: The Fedora-Red Hat Crisis (Datamation)

To compare apples to apples, you can see Debian's 2006 server compromise, which occurred to a system in the bastion (outside of the corporate firewall) at HP Fort Collins. They handled it much more openly than Red Hat.

The restrictions on publicly traded companies really act both ways. Destroying customer confidence by quashing discussion of a security issue will get you sued just as readily as saying too much about it.

Perhaps the bottom line here is that Fedora isn't as good a structure as Debian for maintaining the core of a Linux distribution, because Fedora is too close to the publicly-traded corporation to have freedom of action. Good engineering gets done when you have that freedom.

(Log in to post comments)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 0:04 UTC (Thu) by smoogen (subscriber, #97) [Link]

Yes, customer confidence is all a company selling/distributing Linux for the enterprise trades on. The questions I have from the Debian break-in that I could not see were:
1) Was the problem reported to police?
2) What was their take on it?
3) What would have HP done if the systems had been inside of a corporate firewall?

My biggest problem with your comments is that you are taking advantage of a person who can't speak for your public schadenfreude. I expected better of you versus cloning ESR. I expected you to write up a treatise of how a public group should handle security incidents.

Instead you seem intent on making non-Debian's regret defending Debian against a-holes who posted "oh what a bunch of dorks" when the SSL issue or the Debian 2006 breach occurred.

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 0:17 UTC (Thu) by BrucePerens (subscriber, #2510) [Link]

I don't know what Debian's interaction with the police was.

Their take on it is public knowledge, just use google.

I have seen HP handle a security issue horribly, and did my best to correct the problem while I was at HP. I can't take responsibility for how they behave today, except to note that I was really glad I didn't work there any longer the day their general counsel took the 5th in front of Congress and on national TV.

Red Hat is eminently able to speak for itself. They choose not to. I have been making it clear that the Debian way was the prototype for a public group handling security incidents. And hold the ESR insults, please.

Debian took its knocks standing up, and IMO that particular incident was dorky, and they owned up to it publicly and then went on with their lives. IMO that was honorable and you were quite right to defend them. What RH is doing today is very different.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds