non-disclosure of infrastructure problem a management issue?

Nifty Fedora Mitch niftyfedora at niftyegg.com
Fri Aug 22 21:40:33 UTC 2008 

On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote:
> Bjoern Tore Sund wrote:
>> It has now been a full week since the first announcement that Fedora  
>> had "infrastructure problems" and to stop updating systems.  Since  
>> then there has been two updates to the announcement, none of which  
>> have modified the "don't update" advice and noen of which has been  
>> specific as to the exact nature of the problems.  At one point we  
>> received a list of servers, but not services, which were back up and  
>> running.
>>
>> The University of Bergen has 500 linux clients running Fedora.  We  
>> average one reinstall/fresh install per day, often doing quite a lot  
>> more. Installs and reinstalls has had to stop completely, nightly  
>> updates have stopped, and until the nature of the problem is revealed  
>> we don't even know for certain whether it is safe for our IT staff to  
>> type admin passwords to our (RHEL-based, for the most part) servers  
>> from these work stations.

With 500 clients ?
Are you pulling updated from the internet or are
you pulling from a local cache of "tested" updates.

Are you using site specific kickstart config files that install local
yum config files, ssh keys, sendmail setup and sudo config files so your admins can
access the hosts without typing pass words?

What revision control of the config files?

I can see that the lack of updates would prove disconcerting
but the inability to maintain day to day, another one just like
yesterdays install seems fragile.

In business school there is a strategy of "owning your own
dependencies".   The long term success stories in business include 
strong control of resources that they depend on.

It is possible to manage yum and friends to allow only update packages resigned by
your group at Bergan after testing them.

My last question -- what is the University of Bergin's written policy for
this type and other risks.   Does university policy mandate the disclosure 
that you expect from RedHat.

----

In possible defense of RH does anyone know what restrictions the US Department
of Homeland Security might impose?   If I was RH I would have promptly called in
the authorities.  Then with the conflict between  Georgia and Russia catching 
headlines who knows how cautious and SLOW RH+DHS+FBI were.  I do not
expect an answer.....    and just because some are paranoid, RH did get hacked....




-- 
	T o m  M i t c h e l l 
	Got a great hat... now what.

More information about the users mailing list