Infrastructure status, 2008-08-16 UTC 1530

Todd Denniston Todd.Denniston at
Wed Aug 20 16:45:40 UTC 2008

Jeff Spaleta wrote, On 08/18/2008 02:15 PM:
> On Mon, Aug 18, 2008 at 8:27 AM, g <geleem at> wrote:
>> anyone who is not subscribed to 'fedora-announce-list' have no one other
>> than them selves to blame for not being aware.
>> fact that something such as this has happened, it would be best that all
>> who are not subscribed to 'fedora-announce-list', should do so.
> The specific current situation aside for a moment. As a Board member,
> I am interested in thinking about a better mechanism of communication
> of anything hoped to be seen by the entire community.  
> I do not want to go into this too deeply until the current situation
> has been resolved. I do not want to be a distraction. But I think this
> is an area where someone could step up and provide some new code to
> make communicating important announcements easier. 

I don't think new code is needed, the announcement occurred and has been duly
noted.  As geleem noted we need to watch the very low volume
fedora-announce-list or at least view it's archive on a periodic basis, no big
deal on the tools to communicate being there, because they are.

The problem is not that communication did not happen.  The problem is that
Paul dropped a line which can imply things that MAY be well beyond the true
situation. I think Matthew Miller's message[1] summarizes, very well, an
extreme position that can be implied from "We're still assessing the end-user
impact of the situation, but as a precaution, we recommend you not download or
update any additional packages on your Fedora systems"[2].  Also very little
in the related messages[3][4] has reduced the perceived likely hood that the
extreme position is wrong.

I think this could be calmed down (communication on _this_ sub-issue
COMPLETED) if Fedora/Red Hat could issue a statement indicating at least one of:
1) 'we have no reason to believe that THE private keys used to sign rpms have
been compromised.'
2) 'Look folks it was just a big hardware heading for the big sleep problem,
and the mirrors probably got a combination of rpms that would not be able to
resolve all the dependencies because of incomplete pushes from kjoii to
updates.' {we (users) already understand from [3] that there has been a 
decision that as long as we are down, replace some old hardware. response: 
cool faster stuff.}
3) 'updates released before ## MMM YYYY are not going to cause a problem.' or
'none of the updates will cause a security compromise problem, though some of
the dependencies may not be available, and thus have the possibility to cause
an security availability problem.'

[1] 'Re: important question about updates [was Re: Infrastructure status,
2008-08-19 UTC 0200]'
BTW +1 on all Matthew said in[1].



Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

More information about the users mailing list