LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Fedora-Red Hat Crisis (Datamation)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 6:30 UTC (Thu) by bojan (subscriber, #14302)
In reply to: The Fedora-Red Hat Crisis (Datamation) by BrucePerens
Parent article: The Fedora-Red Hat Crisis (Datamation)

I don't think that's a problem at all. By the nature of the relationship between Fedora and Red Hat, an undetected compromise of Fedora code can affect RHEL down the line. Hence, Red Hat have the responsibility to their shareholders even when it comes to this FOSS project they sponsor.

Money talks and all that... Nothing wrong with that.

All that being said, I'll bet $5 that if the root cause of the intrusion was something that required patching upstream (and it may be completely non-applicable), Red Hat folks would already be on it. After all, they run and live on open source software - why on earth would they want something like that go unpatched for the rest of us? After all, many of us are their customers.

(Log in to post comments)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 15:33 UTC (Thu) by jspaleta (subscriber, #50639) [Link]

As to the $5 bet:

http://skvidal.wordpress.com/2008/09/09/fedora-security-i...

"Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."

-jef

How can you be sure?

Posted Sep 11, 2008 16:04 UTC (Thu) by khim (subscriber, #9252) [Link]

I don't think that's a problem at all.

Puhlease.

I'll bet $5 that if the root cause of the intrusion was something that required patching upstream (and it may be completely non-applicable), Red Hat folks would already be on it.

How? "Here, please take this patch: we can't say why you should apply it and how it will work, but you SHOULD apply it" - like this? As others have said: they can't talk about things that went wrong, then don't want to talk about boundaries (what they can say or can not), etc. This will SEVERELY impede interaction with upstream. Will it make impossible to send the patch and get it accepted? Who knows. But I don't hold my breath...

After all, they run and live on open source software - why on earth would they want something like that go unpatched for the rest of us? After all, many of us are their customers.

The same logic applies to disclosure about current situation. They have used RHEL and Feedora systems, to handle that, right? They were setup by the best professionals available, right? And they STILL were compromised - so probably the same story can be repeated around the world again and again... Disclosure can hurt RedHat but will help customers - exactly as in situation with patch for upstream...

How can you be sure?

Posted Sep 11, 2008 22:32 UTC (Thu) by bojan (subscriber, #14302) [Link]

> we can't say why you should apply it and how it will work, but you SHOULD apply it

Say, for instance, it was the kernel problem. They can submit a patch that says: "such and such was fixed, which caused privilege escalation". This does not contain the information about the actual intrusion into their systems, but is a genuine patch with a genuine explanation.

> And they STILL were compromised

It doesn't necessarily follow that a security bug was the root cause of this.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds