fedora security incident discussion at the board meeting today

September 9, 2008

Something that came up at the board meeting today is that some folks are worried that their systems are not completely patched or current. That fedora infrastructure may have patches applied that we cannot tell people about.

Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available.

I hope this helps.


3 Responses to “fedora security incident discussion at the board meeting today”

  1. Thruhike98 Says:

    That’s good to know. Thanks.

    Have you heard much about the level of end-user input that’ll be required to shift over to the new update keys, and when this might occur?

    (I’m thinking less about my machine than I am about that phone call to walk the parents through getting updates again.)

  2. Thruhike98 Says:

    I found this from the fedora-announce-list, which explains the new key/repository process.

  3. Scott Doty Says:

    I was the one that brought up this concern — but not for the end user, but for the infrastructure.

    I see no reason not to give a “yes” or “no” answer to my question. In other words, this is not a “complex question”:

    Has the hole/mole _in the infrastructure_ been found, and has that hole/mole been patched/delt with/fired/whatever?

    And whenever I ask this question, people refer to vague statements that anyone with half a brain can see don’t answer the question. Systems security demands rigor, and I view such prevarications and hand-waving with suspicion.

    And I should add, when this is brought up in the Freenode #fedora channel, the inquirer is piled upon with bureaucratic nonsense that does nothing to answer the question…nor allay the suspicions of those for whom systems security isn’t just some passing idle fancy.

    To put a finer point on this: I am told that this topic is off-topic for #fedora . Considering the situation, it escapes me why folks with a fedora cloak wouldn’t be glad to allay these suspicions…but instead, one is handed wishy-washy pablum that avoids answering the question.

    And since i have experience with such investigations, I am reasonably certain that answering my simple, direct, to-the-point question would not run afoul of any reasonable law enforcement restrictions.

    So it is this lack of information, reticence to consent to open discussion of this extremely vital security matter in #fedora, failure to answer the question “has the mole/hole been fired/closed?” (in #fedora, and bureaucratic hoops that one is forced to leap through to even _ask the question_ (coupled with the sandbagging and brick wall attitude encountered with such a question), I’ve made my assessment:

    Fedora’s security posture would seem to exhibit opportunities for improvement — not only with a better incident response plan, but better liason with law enforcement to ensure that Fedora officials can relate important security statements to the end user. There should be no problem _clearly_ and _directly_ answering such questions that arise, regarding the state of Fedora infrastructure — both for end-user inspection, as well as peer-review.

    This is how FOSS works.

    Beyond this, I’ll post my (no-doubt long-winded) call for discussion of incident responsein fedora-security-list (unless someone has a better idea).

    “That’s my story, and I’m sticking with it.”

    -Scott (“vallor” on Freenode)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: