Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Fedora-Red Hat Crisis

Posted by Soulskill on from the evidently-it-doesn't-start-at-the-top dept.

jammag writes "When Linux journalist Bruce Byfield tried to dig for details about the security breach in Fedora's servers, a Red Hat publicist told him the official statement — written in non-informative corporate-speak — was all he would get. In the wake of Red Hat's tight-lipped handling of the breach, even Fedora's board was unhappy, as Byfield details. He concludes: 'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies — especially publicly-traded ones — will act any better?'"

3 of 263 comments (clear)

  1. New Fedora Key by FrankDrebin · · Score: 5, Informative

    TFA says:

    However, as of September 8, the crisis continues, with Fedora users still unable to get security updates or bug-fixes.

    Not true. Go here: https://fedoraproject.org/wiki/Enabling_new_signing_key, follow the instructions and voila... updates available.

    --
    Anybody want a peanut?
  2. Re:Consider Red Hat's response vs. Debian's by michaelmuffin · · Score: 5, Informative

    That is ridiculous. The law does certainly not say that making money is the only thing that matters.

    i agree that it's ridiculous. it is however true.

    http://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Company

  3. How is this "ignoring FOSS"? by itsdapead · · Score: 5, Informative

    If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient

    Sorry, but I must have missed the clause in the GPL that requires full and immediate public disclosure of any security breach on your servers, or a duty to maintain 100% availability.

    OTOH I do remember loads of stuff in the GPL about how there was no warranty.

    There also seems to be a presumption that this "breach" represents some sort of systemic vulnerability in the Fedora/Red Hat product - TFA and several comments here reference the Debian SSL problem. What about the good old standbys of "inside job", "social engineering", "weak password" or "bugger, I knew I should have password-protected my SSH key"?

    What if they're planning to fire someones ass, or even press criminal charges over the incident? That would place serious restrictions on what they could publicly announce.

    --
    In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.