User: Password:
|
|
Subscribe / Log in / New account

Fedora distributes new keys

Fedora distributes new keys

Posted Sep 11, 2008 3:55 UTC (Thu) by luya (subscriber, #50741)
In reply to: Fedora distributes new keys by BrucePerens
Parent article: Fedora distributes new keys

What would be wise is to wait the result of investigations. As a cCSI, would you fully reveal information before gathering evidences? Unlike Debian, Red Hat is a company.


(Log in to post comments)

Fedora distributes new keys

Posted Sep 11, 2008 9:10 UTC (Thu) by russell (guest, #10458) [Link]

But Fedora is suppose to be a community and unfortunately it appears some people in the community are becoming more equal than others.

Fedora distributes new keys

Posted Sep 11, 2008 12:48 UTC (Thu) by skvidal (guest, #3094) [Link]

More equal, how?

More Equal...

Posted Sep 11, 2008 14:30 UTC (Thu) by grantingram (guest, #18390) [Link]

That was a reference to a novel by George Orwell called "Animal Farm" about evil governments. A short explanation is found at bartleby.com

The point I think the poster is making is: some members of the community (Fedora Board members who work for Red Hat) have access to information that others do not (Fedora Board members who do not work for Red Hat).

More Equal...

Posted Sep 11, 2008 14:42 UTC (Thu) by skvidal (guest, #3094) [Link]

I know where the reference is from. What I wanted to know is why you thought that made them 'more equal'. To be clear the 'more equal' folks aren't just employees of red hat. They're the folks who were on the site of the intrusion earliest. Some are red hat employees, some are not.

More Equal...

Posted Sep 11, 2008 15:32 UTC (Thu) by grantingram (guest, #18390) [Link]

Actually I was just attempting to be helpful - I'm not the one who made the "more equal" comment.

But I think that what makes them "more equal" is that they have information that others don't?

More Equal...

Posted Sep 11, 2008 18:11 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

That would true of any sort of project, that some people have more information than others. There is all sort of private and confidential data in many large projects. Even many community distributions have private mailing lists that deal with people, legal and other issues. Doesn't really change their overall nature.

More Equal...

Posted Sep 11, 2008 16:07 UTC (Thu) by jake (editor, #205) [Link]

> They're the folks who were on the site of the intrusion earliest.
> Some are red hat employees, some are not.

This seems to imply they are employees of the hosting/colo facility that Red Hat and Fedora use. If true, it is a little tidbit of information, which seem to keep dribbling out. Perhaps that is what you were trying to say on Tuesday in #fedora-board-public about Debian (or other distros) being just as susceptible to the information disclosure problem as Fedora/Red Hat currently are.

If so, beating around the bush is just causing annoyance to no good end. I recognize that you (and Fedora, perhaps even Red Hat) don't get to make those decisions, but whoever does should get an earful imo.

jake

More Equal...

Posted Sep 11, 2008 16:12 UTC (Thu) by skvidal (guest, #3094) [Link]

No, Nothing to do with the colo at all. There are fedora infrastructure people who are completely trusted and have root to the fedora systems who wer not red hat employees when they were granted access. They are employees, now, however.

Three examples of this:
- Me
- Dennis Gilmore
- Ricky Zhou

I didn't mean to confuse anything.

-sv

Same problem, different perceptions

Posted Sep 11, 2008 17:36 UTC (Thu) by quaid (guest, #26101) [Link]

Jake, thanks for attending the meeting and engaging in a lively discussion. I appreciate that you are trying to separate your feelings/fears/concerns as a Fedora user from your role as a reporter.

In the open public question/discussion channel, I think you showed (and identified) your personal bias that the existence of Red Hat in Fedora's affairs makes Fedora less of a community distro. Myself, other Board members, and other community members provided several examples and reasons of how the situation with Fedora and with previous distro security problems are not equivalent.

There has never been an equivalent situation to what happened to Fedora, and it has nothing to do specifically with Red Hat. Red Hat just happens to be the incorporated-in-the-US entity involved that changed the tenor of the situation. That could happen to any distro, and it does not diminish their being a "truly community distro." I think Seth's example was a great one:

skvidal 	 lwnjake: here's an example
...
skvidal 	lwnjake: a debian server gets crack[ed]
skvidal 	lwnjake: the cracker hosts A LOT of kiddie porn
skvidal 	and terrorist documentation
...
skvidal 	the hosting provider gets a national security letter
skvidal 	debian is down and out
skvidal 	and not allowed
skvidal 	AT ALL
skvidal 	to speak about it
skvidal 	would that be a failing of debian?
lwnjake 	we can discuss scenarios all day, it doesn't change the fact that you folks can't even confirm whether you know how the intrusion occurred
skvidal 	or would it be the fact that law is different

You and others keep asking questions that people are repeatedly saying they are not able to answer. Ironically, the answer is probably staring you in the face, but if you believe "... it comes from red hat legal or at least that is the perception", you continue to look for answers that implicate an Evil Overlord.

Same problem, different perceptions

Posted Sep 11, 2008 20:16 UTC (Thu) by jake (editor, #205) [Link]

> I think you showed (and identified) your personal bias that the existence
> of Red Hat in Fedora's affairs makes Fedora less of a community distro.

My use of "community" was not really describing what I meant. "Independent" is a much better word and the one I used in the article. I did not mean to push the hot button that Fedora folks have (understandably) about being a "community" distribution.

> if you believe "... it comes from red hat legal or at least that is the
> perception", you continue to look for answers that implicate an Evil
> Overlord.

I, like most folks, don't know what to believe. Someone is stopping you (perhaps not you personally, but Fedora) from telling us important things like whether you know how the intrusion happened. Whoever is doing that has done a grave disservice to the reputation of Fedora and Red Hat.

You, and others, have implied that it is some kind of law enforcement agency, perhaps even a National Security Letter, that is stopping *any* information from being released. If so, one hopes that Red Hat's lawyers are busy doing whatever they can to circumvent that. Fedora and Red Hat have a responsibility to their customers and the community that is being set aside.

It's not that folks don't understand that Fedora cannot say any more than it has, it's that they fairly strongly believe that more could be said without jeopardizing whatever ongoing investigation there is. While we eventually want to know what all the hubbub is about, what we want to know *now*, nearly a month after the incident, is what, if anything, we need to be on the lookout for. If there is some unknown exploit out there, many eyes are more likely to find it than one. If there isn't, then someone should force the entity responsible to *say* so.

jake

Same problem, different perceptions

Posted Sep 11, 2008 20:38 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

Very well said! And I'd also like to thank you, Jake, for participating in this discussion.

Even as a non-RH/Fedora user, I'm still following this whole story closely as the incident, its aftermath, and RH's/Fedora's corrective strategies all impact Free/Open Source in general.

Same problem, different perceptions

Posted Sep 11, 2008 20:51 UTC (Thu) by skvidal (guest, #3094) [Link]

I'll quote, again, from the announcement from 8/22:

"These efforts have also not resulted in the discovery of additional security vulnerabilities in packages provided by Fedora."

and then I'll quote from my own blog:
" Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."

Hope this helps.

Same problem, different perceptions

Posted Sep 11, 2008 21:08 UTC (Thu) by jake (editor, #205) [Link]

> "These efforts have also not resulted in the discovery of additional
> security vulnerabilities in packages provided by Fedora."

Which can be read several different ways:

- we don't know how the intrusion occurred
- we do know, but it wasn't an "additional security vulnerability" in a package that Fedora ships, which leaves packages that Fedora doesn't ship as well as known, but unpatched, vulnerabilities
- probably other interpretations depending on what the meaning of "is" is

I know you are trying to be helpful and you folks don't like this any more than I do, but after almost a month, I think we are due more than lawyer-ese like the above.

jake

More Equal...

Posted Sep 12, 2008 11:03 UTC (Fri) by russell (guest, #10458) [Link]

see my comment further down

Fedora distributes new keys

Posted Sep 11, 2008 15:03 UTC (Thu) by pjones (subscriber, #31722) [Link]

I think you're making a fundamentally flawed assumption about what it is to be a community. A community is a social structure in which there are relationships that vary on both a domain-specific basis and a trust related basis. In the Fedora community, the people who know the details of this issue are those who have a sufficient history in the community, and who have domain-specific reasons to be involved in the investigation.

It is only natural that many of the people whose histories with Fedora are the longest are employees of Red Hat. Thus, in a situation like this, it's true that those people are going to be the most trusted. It's not an Animal Farm scenario; there are elders, and the elders are those who are called upon for guidance and action when times are tough. That's responsibility, not exclusivity.

Fedora distributes new keys

Posted Sep 12, 2008 9:27 UTC (Fri) by russell (guest, #10458) [Link]

Open content is even more contentious than open source software. There is a large quantity of opposition to keeping information free. Persecution and prosecution of people who work to keep informed content free continues. Because of the danger of self-censorship in a closed or partially open format, it is safer to work entirely in the open.

This snippet of text is taken directly from the Steering Committees charter.

I have no doubt that they believe they are being responsible. But they are also being exclusive.

Time will tell if this really is an animal farm scenario. Right now it certainly feels like it.

Fedora distributes new keys

Posted Sep 13, 2008 0:29 UTC (Sat) by jspaleta (subscriber, #50639) [Link]

To be clear... that is a quote from the Fedora Documentation sub-project's Steering Committee Charter. And it is not a quote from the Fedora Board, nor from the Fedora Engineering Steering Committee, nor from Fedora Infrastructure.

I'm pretty sure that the Fedora Documentation Team aren't directly involved in the incident handling, so a close reading of their charter is probably unwarranted. And even if someone were to read it looking for insight, there probably very little there that can be used the context for the discussion at hand, since the documentation group isn't directly involved.

When we have an incident response plan, I'll do my best to make sure that that Documentation Group has an opportunity to be a part of the process of documenting that plan for public consumption.

-jef

Fedora distributes new keys

Posted Sep 13, 2008 6:01 UTC (Sat) by russell (guest, #10458) [Link]

My mistake, I thought it was the fedora steering committee charter ( documented by the Docs project ).

Doing a search for more charters showed very little else. However, when reading about the board I noticed a mailing list where some things are discussed in private. I didn't expect to see that. What sort of things would those be? This appears to be something that the Docs project wouldn't do? So what exactly are the rules of this community? Something clearing defined and easy to find would be nice if not essential for a community.

Fedora distributes new keys

Posted Sep 14, 2008 11:35 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

Legal issues for instance might be discussed by the Fedora Board in a private list. Documentation team doesn't have the need for that. The Fedora Board wiki page has the details.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds