non-disclosure of infrastructure problem a management issue?
Björn Persson
bjorn at xn--rombobjrn-67a.se
Sat Aug 23 16:57:08 UTC 2008
Rui Miguel Silva Seabra wrote:
> The first message...
> https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.h
>tml
>
> ... said:
>
> We're still assessing the end-user impact of the situation, but as a
> precaution, we recommend you not download or update any additional
> packages on your Fedora systems.
>
> This spells "*unsafe* to install packages, without saying specifically
> why" to me, what about you? :)
To me it looked like there was a problem with the performance or availability
of the servers, and they didn't know how much downtime there would be or how
bad the response times would be, and they wanted us to avoid updating to ease
the load on the servers until they could fix the problem. That wouldn't make
it unsafe to install packages although it might be difficult to download
them.
I can also imagine that such a recommendation would be issued if a bug in the
build system had caused corrupted packages or incorrect dependencies. In that
case it could be said that it would be unsafe to install packages, but I
might still choose to update some after ensuring that I could revert to an
older version if necessary.
It wasn't until I saw the speculations here in fedora-list that I understood
that there might be a risk that I would get backdoors installed if I updated.
It's mostly by chance that I'm currently reading fedora-list. If I were only
reading fedora-announce-list I might not have understood that there was a
security risk until yesterday's announcement, and then I would probably have
chosen to install some important security updates despite the recommendation.
It's simple, really: People won't follow instructions if you don't tell them
why the instructions are important.
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080823/9a80c07e/attachment-0001.bin
More information about the users
mailing list