[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-disclosure of infrastructure problem a management issue?

Bjoern Tore Sund venit, vidit, dixit 21.08.2008 11:04:
> It has now been a full week since the first announcement that Fedora had 
> "infrastructure problems" and to stop updating systems.  Since then there 
> has been two updates to the announcement, none of which have modified the 
> "don't update" advice and noen of which has been specific as to the exact 
> nature of the problems.  At one point we received a list of servers, but 
> not services, which were back up and running.
> The University of Bergen has 500 linux clients running Fedora.  We 
> average one reinstall/fresh install per day, often doing quite a lot 
> more. Installs and reinstalls has had to stop completely, nightly updates 
> have stopped, and until the nature of the problem is revealed we don't 
> even know for certain whether it is safe for our IT staff to type admin 
> passwords to our (RHEL-based, for the most part) servers from these work 
> stations.
> Sometimes unfortunate events happen beyond anyone's control.  We 
> understand this as well as anyone.  We trust the assurances that the 
> infrastructure team is working hard on resolving the matter and are 
> greatful to them for the job they do.  So far nothing that has happened 
> with this issue has reflected poorly on them.
> Sadly, the same cannot be said about the Management of the Fedora 
> project.  Their choice of complete non-disclosure is enough to eradicate 
> any and all confidence that Fedora is a trustworthy platform for Linux 
> installations.  What information they have released has been deliberately 
> vague and, frankly, useless.  For a day or two to secure things this may 
> be a workable strategy.  For a full week, not giving the community 
> participants any chance whatsoever to protect themselves from threats 
> indicated but not specified?  This is poor management and poor judgement 
> and reflects very badly not only on the Fedora project but on Fedora's 
> RedHat sponsor as well.  The issue is more than serious enough and has 
> gone on for more than long enough that someone higher up the scale should 
> have stepped in a long time ago and made sure that all relevant info was 
> released to the community.
> We strongly encourage both the Fedora management and RedHat as a Fedora 
> sponsor to immediately release any and all information relating to the 
> current infrastructure problems.
> Regards,
> -BT, linux client architect, University of Bergen

Well spoken.

I would like to add that several actions have further decreased my
confidence in the decision process:

- A website was put up with a number of new ssh fingerprints we are
supposed to trust.
- We were asked by fedoraproject (via e-mail) to reset our passwords and
reupload keys, even with a 14 days deadline.

If there is an issue severe enough which warrants stopping updates
(which indicates that rpm signing keys have been compromised) why should
we trust those fingerprints and servers?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]