User: Password:
|
|
Subscribe / Log in / New account

More Equal...

More Equal...

Posted Sep 11, 2008 16:07 UTC (Thu) by jake (editor, #205)
In reply to: More Equal... by skvidal
Parent article: Fedora distributes new keys

> They're the folks who were on the site of the intrusion earliest.
> Some are red hat employees, some are not.

This seems to imply they are employees of the hosting/colo facility that Red Hat and Fedora use. If true, it is a little tidbit of information, which seem to keep dribbling out. Perhaps that is what you were trying to say on Tuesday in #fedora-board-public about Debian (or other distros) being just as susceptible to the information disclosure problem as Fedora/Red Hat currently are.

If so, beating around the bush is just causing annoyance to no good end. I recognize that you (and Fedora, perhaps even Red Hat) don't get to make those decisions, but whoever does should get an earful imo.

jake


(Log in to post comments)

More Equal...

Posted Sep 11, 2008 16:12 UTC (Thu) by skvidal (guest, #3094) [Link]

No, Nothing to do with the colo at all. There are fedora infrastructure people who are completely trusted and have root to the fedora systems who wer not red hat employees when they were granted access. They are employees, now, however.

Three examples of this:
- Me
- Dennis Gilmore
- Ricky Zhou

I didn't mean to confuse anything.

-sv

Same problem, different perceptions

Posted Sep 11, 2008 17:36 UTC (Thu) by quaid (guest, #26101) [Link]

Jake, thanks for attending the meeting and engaging in a lively discussion. I appreciate that you are trying to separate your feelings/fears/concerns as a Fedora user from your role as a reporter.

In the open public question/discussion channel, I think you showed (and identified) your personal bias that the existence of Red Hat in Fedora's affairs makes Fedora less of a community distro. Myself, other Board members, and other community members provided several examples and reasons of how the situation with Fedora and with previous distro security problems are not equivalent.

There has never been an equivalent situation to what happened to Fedora, and it has nothing to do specifically with Red Hat. Red Hat just happens to be the incorporated-in-the-US entity involved that changed the tenor of the situation. That could happen to any distro, and it does not diminish their being a "truly community distro." I think Seth's example was a great one:

skvidal 	 lwnjake: here's an example
...
skvidal 	lwnjake: a debian server gets crack[ed]
skvidal 	lwnjake: the cracker hosts A LOT of kiddie porn
skvidal 	and terrorist documentation
...
skvidal 	the hosting provider gets a national security letter
skvidal 	debian is down and out
skvidal 	and not allowed
skvidal 	AT ALL
skvidal 	to speak about it
skvidal 	would that be a failing of debian?
lwnjake 	we can discuss scenarios all day, it doesn't change the fact that you folks can't even confirm whether you know how the intrusion occurred
skvidal 	or would it be the fact that law is different

You and others keep asking questions that people are repeatedly saying they are not able to answer. Ironically, the answer is probably staring you in the face, but if you believe "... it comes from red hat legal or at least that is the perception", you continue to look for answers that implicate an Evil Overlord.

Same problem, different perceptions

Posted Sep 11, 2008 20:16 UTC (Thu) by jake (editor, #205) [Link]

> I think you showed (and identified) your personal bias that the existence
> of Red Hat in Fedora's affairs makes Fedora less of a community distro.

My use of "community" was not really describing what I meant. "Independent" is a much better word and the one I used in the article. I did not mean to push the hot button that Fedora folks have (understandably) about being a "community" distribution.

> if you believe "... it comes from red hat legal or at least that is the
> perception", you continue to look for answers that implicate an Evil
> Overlord.

I, like most folks, don't know what to believe. Someone is stopping you (perhaps not you personally, but Fedora) from telling us important things like whether you know how the intrusion happened. Whoever is doing that has done a grave disservice to the reputation of Fedora and Red Hat.

You, and others, have implied that it is some kind of law enforcement agency, perhaps even a National Security Letter, that is stopping *any* information from being released. If so, one hopes that Red Hat's lawyers are busy doing whatever they can to circumvent that. Fedora and Red Hat have a responsibility to their customers and the community that is being set aside.

It's not that folks don't understand that Fedora cannot say any more than it has, it's that they fairly strongly believe that more could be said without jeopardizing whatever ongoing investigation there is. While we eventually want to know what all the hubbub is about, what we want to know *now*, nearly a month after the incident, is what, if anything, we need to be on the lookout for. If there is some unknown exploit out there, many eyes are more likely to find it than one. If there isn't, then someone should force the entity responsible to *say* so.

jake

Same problem, different perceptions

Posted Sep 11, 2008 20:38 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

Very well said! And I'd also like to thank you, Jake, for participating in this discussion.

Even as a non-RH/Fedora user, I'm still following this whole story closely as the incident, its aftermath, and RH's/Fedora's corrective strategies all impact Free/Open Source in general.

Same problem, different perceptions

Posted Sep 11, 2008 20:51 UTC (Thu) by skvidal (guest, #3094) [Link]

I'll quote, again, from the announcement from 8/22:

"These efforts have also not resulted in the discovery of additional security vulnerabilities in packages provided by Fedora."

and then I'll quote from my own blog:
" Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."

Hope this helps.

Same problem, different perceptions

Posted Sep 11, 2008 21:08 UTC (Thu) by jake (editor, #205) [Link]

> "These efforts have also not resulted in the discovery of additional
> security vulnerabilities in packages provided by Fedora."

Which can be read several different ways:

- we don't know how the intrusion occurred
- we do know, but it wasn't an "additional security vulnerability" in a package that Fedora ships, which leaves packages that Fedora doesn't ship as well as known, but unpatched, vulnerabilities
- probably other interpretations depending on what the meaning of "is" is

I know you are trying to be helpful and you folks don't like this any more than I do, but after almost a month, I think we are due more than lawyer-ese like the above.

jake


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds