non-disclosure of infrastructure problem a management issue?

Joel Rees joel.rees at gmail.com
Sat Aug 23 23:35:39 UTC 2008 

I don't mean to be rude, but, ...

> [...]  One thing this
> incident has taught us is to take regular backups of that mirror so  
> that we
> can roll back to a non-suspect version of the Fedora updates.   
> Didn't have
> that before, really missed it the last couple of weeks.

Consider that a lesson well learned. And, while it may not have been  
the most convenient time to learn it, things could have been much worse.

It's one of the costs (and, actually, one of the benefits) of working  
with open source. With "Proprietary" you have "guarantees". When they  
fall down on the job, or when other bad stuff happens, you can  
theoretically get some sort of compensation. But when you look at the  
record, the compensation you get isn't worth it.

With opensource, you have both the responsibility and the privilege  
to run your own install servers and backups. And you don't have the  
guarantees that seem to fool the bean counters.

>> Are you using site specific kickstart config files that install local
>> yum config files, ssh keys, sendmail setup and sudo config files  
>> so your admins
>> can access the hosts without typing pass words?
>
> Yes, to all.  Unfortunately that regime isn't 100% adhered to,  
> which is
> something we work on.  Equally unfortunately, we have had to give the
> footwork guys sudo access to a limited set off commands.  Sudo with or
> without passwords have different security implications, we've  
> landed on
> "with".

"With" is not a bad alternative.

Balancing resources is always a problem. No matter how you choose,  
sometimes bad stuff happens. Again, if accounting or management is  
coming after you, point to the actual results (not the promises and  
fudged guarantees) that could be obtained from the proprietary  
alternatives.

F/OSS, while better than the alternatives, is not some magic utopia.

Now, I think they're handling this pretty well so far.

I'm considering things from the overall perspective. A certain  
"Proprietary" vendor has put the entire world's infrastructure at  
risk, and they've managed to delay things with weird legal and  
political games for more than ten years, putting society at further  
risk. What we hear in public is not the worst that could happen (or  
is happening, really), and anyone whose infrastructure is dependent  
on that "Proprietary" vendor, is basically living on borrowed time  
and illusions. It's definitely time to run a tight ship now.

[...]

Joel Rees

More information about the fedora-list mailing list