non-disclosure of infrastructure problem a management issue?

Björn Persson bjorn at xn--rombobjrn-67a.se
Sat Aug 23 16:57:08 UTC 2008


Rui Miguel Silva Seabra wrote:
> The first message...
> https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.h
>tml
>
> ... said:
>
> 	We're still assessing the end-user impact of the situation, but as a
> 	precaution, we recommend you not download or update any additional
> 	packages on your Fedora systems.
>
> This spells "*unsafe* to install packages, without saying specifically
> why" to me, what about you? :)

To me it looked like there was a problem with the performance or availability 
of the servers, and they didn't know how much downtime there would be or how 
bad the response times would be, and they wanted us to avoid updating to ease 
the load on the servers until they could fix the problem. That wouldn't make 
it unsafe to install packages although it might be difficult to download 
them.

I can also imagine that such a recommendation would be issued if a bug in the 
build system had caused corrupted packages or incorrect dependencies. In that 
case it could be said that it would be unsafe to install packages, but I 
might still choose to update some after ensuring that I could revert to an 
older version if necessary.

It wasn't until I saw the speculations here in fedora-list that I understood 
that there might be a risk that I would get backdoors installed if I updated. 
It's mostly by chance that I'm currently reading fedora-list. If I were only 
reading fedora-announce-list I might not have understood that there was a 
security risk until yesterday's announcement, and then I would probably have 
chosen to install some important security updates despite the recommendation.

It's simple, really: People won't follow instructions if you don't tell them 
why the instructions are important.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080823/9a80c07e/attachment-0001.bin 


More information about the users mailing list