The Fedora-Red Hat Crisis (Datamation) [LWN.net]

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 6:02 UTC (Thu) by BrucePerens (subscriber, #2510)
In reply to: The Fedora-Red Hat Crisis (Datamation) by bojan
Parent article: The Fedora-Red Hat Crisis (Datamation)

<blockquote>I reckon this part alone makes it different. Red Hat is a for-profit, publicly traded company. They turn over millions every year. SPI doesn't.</blockquote>
That's really the problem, isn't it? Once the money (laws concerning stockholders, management concerns about losing customers or money) get in the way, you can't trust your distribution to do the right thing any longer.

(Log in to post comments)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 6:30 UTC (Thu) by bojan (subscriber, #14302) [Link]

I don't think that's a problem at all. By the nature of the relationship between Fedora and Red Hat, an undetected compromise of Fedora code can affect RHEL down the line. Hence, Red Hat have the responsibility to their shareholders even when it comes to this FOSS project they sponsor.

Money talks and all that... Nothing wrong with that.

All that being said, I'll bet $5 that if the root cause of the intrusion was something that required patching upstream (and it may be completely non-applicable), Red Hat folks would already be on it. After all, they run and live on open source software - why on earth would they want something like that go unpatched for the rest of us? After all, many of us are their customers.

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 15:33 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

As to the $5 bet:

http://skvidal.wordpress.com/2008/09/09/fedora-security-i...

"Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."

-jef

How can you be sure?

Posted Sep 11, 2008 16:04 UTC (Thu) by khim (subscriber, #9252) [Link]

I don't think that's a problem at all.

Puhlease.

I'll bet $5 that if the root cause of the intrusion was something that required patching upstream (and it may be completely non-applicable), Red Hat folks would already be on it.

How? "Here, please take this patch: we can't say why you should apply it and how it will work, but you SHOULD apply it" - like this? As others have said: they can't talk about things that went wrong, then don't want to talk about boundaries (what they can say or can not), etc. This will SEVERELY impede interaction with upstream. Will it make impossible to send the patch and get it accepted? Who knows. But I don't hold my breath...

After all, they run and live on open source software - why on earth would they want something like that go unpatched for the rest of us? After all, many of us are their customers.

The same logic applies to disclosure about current situation. They have used RHEL and Feedora systems, to handle that, right? They were setup by the best professionals available, right? And they STILL were compromised - so probably the same story can be repeated around the world again and again... Disclosure can hurt RedHat but will help customers - exactly as in situation with patch for upstream...

How can you be sure?

Posted Sep 11, 2008 22:32 UTC (Thu) by bojan (subscriber, #14302) [Link]

> we can't say why you should apply it and how it will work, but you SHOULD apply it

Say, for instance, it was the kernel problem. They can submit a patch that says: "such and such was fixed, which caused privilege escalation". This does not contain the information about the actual intrusion into their systems, but is a genuine patch with a genuine explanation.

> And they STILL were compromised

It doesn't necessarily follow that a security bug was the root cause of this.