non-disclosure of infrastructure problem a management issue?

Nifty Fedora Mitch niftyfedora at niftyegg.com
Sun Aug 24 07:55:54 UTC 2008


On Sat, Aug 23, 2008 at 11:44:15PM +0200, =?ISO-8859-1?Q?Bj=F8rn_Tore_Sund_ wrote:
> Nifty Fedora Mitch chose attack as the best defense:
> > On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote:
> >> Bjoern Tore Sund wrote:
> >>> It has now been a full week since the first announcement that Fedora
> >>> had "infrastructure problems" and to stop updating systems.  Since
> >>> then there has been two updates to the announcement, none of which
> >>> have modified the "don't update" advice and noen of which has been
> >>> specific as to the exact nature of the problems.  At one point we
> >>> received a list of servers, but not services, which were back up and
> >>> running.
> >>>
> >>> The University of Bergen has 500 linux clients running Fedora.  We
> >>> average one reinstall/fresh install per day, often doing quite a lot
> >>> more. Installs and reinstalls has had to stop completely, nightly
> >>> updates have stopped, and until the nature of the problem is revealed
> >>> we don't even know for certain whether it is safe for our IT staff to
> >>> type admin passwords to our (RHEL-based, for the most part) servers
> >>> from these work stations.
> >
> >With 500 clients ?
> 
> So far.  Got about 250 laptops coming into the system this autumn, as soon
> as we have the setup and config regime properly structured and able to
> handle it.  Should be ready sometime in September.
> 
> >Are you pulling updated from the internet or are
> >you pulling from a local cache of "tested" updates.
> 
> I have often wished we had the manpower to do the latter.  Unfortunately, we
> don't, so the local mirror is exactly that, a mirror.  One thing this
> incident has taught us is to take regular backups of that mirror so that we
> can roll back to a non-suspect version of the Fedora updates.  Didn't have
> that before, really missed it the last couple of weeks.

Thank you for the reply.

Your site setup sounds very well managed and I now
understand your concern and original post much better.
Other readers of this list should take a lesson 
on how to manage a large community of machines and users.

This event does present the community with some eye opening perspectives
with regard to the chain of resources that we depend on.

For example using 'rsync' for mirror management could quickly and
silently update the global set of mirrors with bad files almost overnight.
If keys were hacked and hosts near the tip of tree silently compromised it might
go undetected for some time.

Weeks ago I would have suggested running a mirror without the --delete flag
as the only 'special flag' not in common use.  Now it appears that some
sort of way to freeze packages once they have been pulled makes sense.

One quick local action is to have a local check sum file set that can be
used to verify that 'old' packages do not change in the local mirror.
rsync and friends could then be enhanced to understand a 'gold frozen' list.

As I ponder an 'rsync' tree of mirrors I continue to think that RH did the correct thing.

Still, having said that, I too would have liked more information.  But, In my
limited experience with law enforcement and security groups the rule seems
to be to say nothing which is exactly what happened.    Sadly the Linux
community is not without its bad actors as we in the SF Bay area learned
with the recent conviction of HR.

Interesting stuff....


-- 
	T o m  M i t c h e l l 
	Got a great hat... now what.




More information about the users mailing list