FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-21-2008, 01:54 PM
"Jonathan Underwood"
 
Default non-disclosure of infrastructure problem a management issue?

2008/8/21 Bjoern Tore Sund <bjorn.sund@it.uib.no>:
> It has now been a full week since the first announcement that Fedora had
> "infrastructure problems" and to stop updating systems. Since then there
> has been two updates to the announcement, none of which have modified the
> "don't update" advice and noen of which has been specific as to the exact
> nature of the problems. At one point we received a list of servers, but not
> services, which were back up and running.
>
> The University of Bergen has 500 linux clients running Fedora. We average
> one reinstall/fresh install per day, often doing quite a lot more. Installs
> and reinstalls has had to stop completely, nightly updates have stopped, and
> until the nature of the problem is revealed we don't even know for certain
> whether it is safe for our IT staff to type admin passwords to our
> (RHEL-based, for the most part) servers from these work stations.
>
> Sometimes unfortunate events happen beyond anyone's control. We understand
> this as well as anyone. We trust the assurances that the infrastructure
> team is working hard on resolving the matter and are greatful to them for
> the job they do. So far nothing that has happened with this issue has
> reflected poorly on them.
>
> Sadly, the same cannot be said about the Management of the Fedora project.
> Their choice of complete non-disclosure is enough to eradicate any and all
> confidence that Fedora is a trustworthy platform for Linux installations.
> What information they have released has been deliberately vague and,
> frankly, useless. For a day or two to secure things this may be a workable
> strategy. For a full week, not giving the community participants any chance
> whatsoever to protect themselves from threats indicated but not specified?
> This is poor management and poor judgement and reflects very badly not only
> on the Fedora project but on Fedora's RedHat sponsor as well. The issue is
> more than serious enough and has gone on for more than long enough that
> someone higher up the scale should have stepped in a long time ago and made
> sure that all relevant info was released to the community.
>
> We strongly encourage both the Fedora management and RedHat as a Fedora
> sponsor to immediately release any and all information relating to the
> current infrastructure problems.

I suspect that if you really want a response to this, you'll need to
send it to the fedora-advisory-board

http://www.redhat.com/mailman/listinfo/fedora-advisory-board

Jonathan.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-21-2008, 07:58 PM
Bjørn Tore Sund
 
Default non-disclosure of infrastructure problem a management issue?

I have been advised that this is a better list than fedora-list to send this
email to.

It has now been a full week since the first announcement that Fedora had
"infrastructure problems" and to stop updating systems. Since then there has
been two updates to the announcement, none of which have modified the "don't
update" advice and noen of which has been specific as to the exact nature of
the problems. At one point we received a list of servers, but not services,
which were back up and running.

The University of Bergen has 500 linux clients running Fedora. We average
one reinstall/fresh install per day, often doing quite a lot more. Installs
and reinstalls has had to stop completely, nightly updates have stopped, and
until the nature of the problem is revealed we don't even know for certain
whether it is safe for our IT staff to type admin passwords to our
(RHEL-based, for the most part) servers from these work stations.

Sometimes unfortunate events happen beyond anyone's control. We understand
this as well as anyone. We trust the assurances that the infrastructure team
is working hard on resolving the matter and are greatful to them for the job
they do. So far nothing that has happened with this issue has reflected
poorly on them.

Sadly, the same cannot be said about the Management of the Fedora project.
Their choice of complete non-disclosure is enough to eradicate any and all
confidence that Fedora is a trustworthy platform for Linux installations.
What information they have released has been deliberately vague and,
frankly, useless. For a day or two to secure things this may be a workable
strategy. For a full week, not giving the community participants any chance
whatsoever to protect themselves from threats indicated but not specified?
This is poor management and poor judgement and reflects very badly not only
on the Fedora project but on Fedora's RedHat sponsor as well. The issue is
more than serious enough and has gone on for more than long enough that
someone higher up the scale should have stepped in a long time ago and made
sure that all relevant info was released to the community.

We strongly encourage both the Fedora management and RedHat as a Fedora
sponsor to immediately release any and all information relating to the
current infrastructure problems.

Regards,

-BT, linux client architect, University of Bergen
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.



_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-21-2008, 08:03 PM
"Tom "spot" Callaway"
 
Default non-disclosure of infrastructure problem a management issue?

On Thu, 2008-08-21 at 21:58 +0200, Bjørn Tore Sund wrote:
> We strongly encourage both the Fedora management and RedHat as a
> Fedora
> sponsor to immediately release any and all information relating to the
> current infrastructure problems.

Without being specific, know that your concerns have been heard, and are
in the process of being addressed. Please don't ask me for more details,
it is not my place to give them.

Thanks,

Tom Callaway, Fedora Legal

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-21-2008, 08:06 PM
Josh Boyer
 
Default non-disclosure of infrastructure problem a management issue?

On Thu, 2008-08-21 at 21:58 +0200, Bjørn Tore Sund wrote:
> Sadly, the same cannot be said about the Management of the Fedora project.
> Their choice of complete non-disclosure is enough to eradicate any and all
> confidence that Fedora is a trustworthy platform for Linux installations.
> What information they have released has been deliberately vague and,
> frankly, useless. For a day or two to secure things this may be a workable
> strategy. For a full week, not giving the community participants any chance
> whatsoever to protect themselves from threats indicated but not specified?
> This is poor management and poor judgement and reflects very badly not only
> on the Fedora project but on Fedora's RedHat sponsor as well. The issue is
> more than serious enough and has gone on for more than long enough that
> someone higher up the scale should have stepped in a long time ago and made
> sure that all relevant info was released to the community.

I'm not entirely sure what you mean by management. If you mean the
governing bodies of Fedora, I can assure you that FESCo _did_ ask to be
informed and we told they could not be. I know this because I was the
one that asked.

Whether all of the Fedora Board (the only group higher than FESCo) has
been informed or not, I have no idea.

josh

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-21-2008, 09:06 PM
"Jeff Spaleta"
 
Default non-disclosure of infrastructure problem a management issue?

On Thu, Aug 21, 2008 at 12:06 PM, Josh Boyer <jwboyer@gmail.com> wrote:
> Whether all of the Fedora Board (the only group higher than FESCo) has
> been informed or not, I have no idea.

In my capacity a Board member I have not been informed of specifics.
And to be quite honest, having me know anything doesn't automatically
help get things resolved with the infrastructure. Nor would it mean
that I would choose to disclose information even if I knew it. Nor
would it mean that I would choose to disclose that I knew information.
The Board has been told its being worked on by or infrastructure,
I've poked at individuals probably like you have and gotten assurances
that its being worked on.

-jef

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-21-2008, 10:36 PM
Clint Dilks
 
Default non-disclosure of infrastructure problem a management issue?

Bjoern Tore Sund wrote:
It has now been a full week since the first announcement that Fedora
had "infrastructure problems" and to stop updating systems. Since
then there has been two updates to the announcement, none of which
have modified the "don't update" advice and noen of which has been
specific as to the exact nature of the problems. At one point we
received a list of servers, but not services, which were back up and
running.


The University of Bergen has 500 linux clients running Fedora. We
average one reinstall/fresh install per day, often doing quite a lot
more. Installs and reinstalls has had to stop completely, nightly
updates have stopped, and until the nature of the problem is revealed
we don't even know for certain whether it is safe for our IT staff to
type admin passwords to our (RHEL-based, for the most part) servers
from these work stations.


Sometimes unfortunate events happen beyond anyone's control. We
understand this as well as anyone. We trust the assurances that the
infrastructure team is working hard on resolving
http://www.google.co.nz/the matter and are greatful to them for the
job they do. So far nothing that has happened with this issue has
reflected poorly on them.


Sadly, the same cannot be said about the Management of the Fedora
project. Their choice of complete non-disclosure is enough to
eradicate any and all confidence that Fedora is a trustworthy platform
for Linux installations. What information they have released has been
deliberately vague and, frankly, useless. For a day or two to secure
things this may be a workable strategy. For a full week, not giving
the community participants any chance whatsoever to protect themselves
from threats indicated but not specified? This is poor management and
poor judgement and reflects very badly not only on the Fedora project
but on Fedora's RedHat sponsor as well. The issue is more than
serious enough and has gone on for more than long enough that someone
higher up the scale should have stepped in a long time ago and made
sure that all relevant info was released to the community.


We strongly encourage both the Fedora management and RedHat as a
Fedora sponsor to immediately release any and all information relating
to the current infrastructure problems.


Regards,

-BT, linux client architect, University of Bergen


Hi, I work in an environment very similar to yours a University in New
Zealand. And while I understand your frustration and agree that this
situation and the communication surrounding it have been managed poorly
I will say that we as administrators can not blame Fedora if we make
their infrastructure to critical to our own systems. For example we can
make our own local repositories and we can control / test updates to try
and minimize the risks from events such as this.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-21-2008, 11:28 PM
Nifty Fedora Mitch
 
Default non-disclosure of infrastructure problem a management issue?

On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote:
> Bjoern Tore Sund wrote:
>> It has now been a full week since the first announcement that Fedora
>> had "infrastructure problems" and to stop updating systems.
>
> Hi, I work in an environment very similar to yours a University in New
> Zealand. And while I understand your frustration and agree that this
> situation and the communication surrounding it have been managed poorly
> I will say that we as administrators can not blame Fedora if we make
> their infrastructure to critical to our own systems. For example we can
> make our own local repositories and we can control / test updates to try
> and minimize the risks from events such as this.

Just guessing,

This smells like a hacker was detected or a hack was discovered.
As readers of this list will note the historic resolution for a
hacked system has been to do a full reload which takes time.

Ssh key management may also be at issue given the key generation flaw known
as the Debian SSH key attacks. In some cases a key can be recovered in
20 min... In this case the issue might be poor keys generated outside
of RH and not a flaw in RH process or tools.

If it had been a blown disk farm we would have more info already.

The more I read about the SSH key attacks the more convinced
I am that there is a need to update my set of keys for me and my systems.

In time they will tell.

--
T o m M i t c h e l l
Got a great hat... now what.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-22-2008, 12:41 AM
"Jeffrey Tadlock"
 
Default non-disclosure of infrastructure problem a management issue?

On Thu, Aug 21, 2008 at 3:58 PM, Bjørn Tore Sund <bjorn.sund@it.uib.no> wrote:
> It has now been a full week since the first announcement that Fedora had
> "infrastructure problems" and to stop updating systems. Since then there has
> been two updates to the announcement, none of which have modified the "don't
> update" advice and noen of which has been specific as to the exact nature of
> the problems.

The vague don't update your systems portion has been the most
frustrating thing for me so far. As a Fedora contributor I can handle
the infrastructure systems being down. And despite the lack of
transparency behind this - I know there are many people on the
infrastructure team that care as much about openness and transparency
as I do - if not more. So the fact they aren't jumping up and down
means there must be other factors at play that they simply cannot
disclose for some reason. I trust them, so I trust those decisions.

With that said - I think the users needed to know a lot more - maybe
not specifics of the situation, but at least things they might need to
do to repair or know whether they can trust their systems. The
vagueness of announcement emails has done a disservice to Fedora
users. Saying do not update your systems and providing no details of
what is meant by that in a weeks time is difficult to excuse. What if
a user did update before seeing the announcement? Is their system to
be trusted? Is it safe? Should they reinstall, remove bad packages?
What steps should they be taking if they might have updated before
seeing the announcement?

A week is a long time to go not knowing just how safe your system or
what it might have been exposed to or even whether it is safe to trust
updates again.

~Jeffrey

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-22-2008, 03:08 PM
Anne Wilson
 
Default non-disclosure of infrastructure problem a management issue?

On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote:
> Just guessing,
>
> This smells like a hacker was detected or a hack was discovered.
> As readers of this list will note the historic resolution for a
> hacked system has been to do a full reload which takes time.
>
> Ssh key management may also be at issue given the key generation flaw known
> as the Debian SSH key attacks. * In some cases a key can be recovered in
> 20 min... *In this case the issue might be poor keys generated outside
> of RH and not a flaw in RH process or tools.
>
> If it had been a blown disk farm we would have more info already.
>
> The more I read about the SSH key attacks the more convinced
> I am that there is a need to update my set of keys for me and my systems. *
>
> In time they will tell.

Today's announcement is pretty clear. There was an intrusion, and it affected
the server which signs packages, hence the warning to hold off until tests
had been done. All the evidence is that the key passphrase was not
successfully hacked, so it's unlikely that we have any corrupt packages if we
only accept signed ones. New signatures are to play safe, and it is now safe
to resume normal working practices.

I still think that the very low-volume announce list is essential for all
Fedora users.

Anne
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-22-2008, 04:40 PM
David
 
Default non-disclosure of infrastructure problem a management issue?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anne Wilson wrote:
> On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote:
>> Just guessing,
>>
>> This smells like a hacker was detected or a hack was discovered.
>> As readers of this list will note the historic resolution for a
>> hacked system has been to do a full reload which takes time.
>>
>> Ssh key management may also be at issue given the key generation flaw known
>> as the Debian SSH key attacks. In some cases a key can be recovered in
>> 20 min... In this case the issue might be poor keys generated outside
>> of RH and not a flaw in RH process or tools.
>>
>> If it had been a blown disk farm we would have more info already.
>>
>> The more I read about the SSH key attacks the more convinced
>> I am that there is a need to update my set of keys for me and my systems.
>>
>> In time they will tell.
>
> Today's announcement is pretty clear. There was an intrusion, and it affected
> the server which signs packages, hence the warning to hold off until tests
> had been done. All the evidence is that the key passphrase was not
> successfully hacked, so it's unlikely that we have any corrupt packages if we
> only accept signed ones. New signatures are to play safe, and it is now safe
> to resume normal working practices.
>
> I still think that the very low-volume announce list is essential for all
> Fedora users.


At the very least it should be suggested, recommended, or maybe an
'auto signup' when signing up for any other of the 'public type' lists.
For them, the newer users, because it is important. Those of us with
experience know, or should know, enough to do that.

It is very low volume list so even those with 'limits' should see the
value. Perhaps an 'opt-out' to avoid the 'you are forcing me' whines but
then the 'I didn't know' whines should stop because of the 'opt-out'.
Those that opt-out, and whine, should be ignored. ;-)

- --


David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkiu6+0ACgkQAO0wNI1X4QGKOQCgsmU7E9k59W 2oE2GGMlFIJeZV
yH0AmQH2R9cQj22OUGgRfbw7J9D+Hd69
=AQyj
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 10:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org