Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Fedora-Red Hat Crisis

Posted by Soulskill on from the evidently-it-doesn't-start-at-the-top dept.

jammag writes "When Linux journalist Bruce Byfield tried to dig for details about the security breach in Fedora's servers, a Red Hat publicist told him the official statement — written in non-informative corporate-speak — was all he would get. In the wake of Red Hat's tight-lipped handling of the breach, even Fedora's board was unhappy, as Byfield details. He concludes: 'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies — especially publicly-traded ones — will act any better?'"

17 of 263 comments (clear)

  1. Consider Red Hat's response vs. Debian's by Bruce+Perens · · Score: 5, Insightful
    I liked the way that Debian handled its server breach, and the more recent SSL bug. They realized that their first responsibility was to the users. They knew that not just Debian but all Debian derivatives like Ubuntu would be effected, and that the best way to handle it was to publish the full details and what they were doing to fix them. They came out of both situations looking better than Red Hat has this time. And it's not what Fedora looks like. Red Hat obviously took control, shutting off outside reporting in a way that never would have flown with a real Open Source project rather than a company dominating an Open Source project, and thus Red Hat got the loss of credibility.

    The problem with a lot of corporate Open Source is that they ignore the ethical foundation of Open Source. And eventually we find out that Open Source isn't quite as good without the ethics.

    Bruce

    --
    Bruce Perens.
    1. Re:Consider Red Hat's response vs. Debian's by Elektroschock · · Score: 3, Insightful

      Bruse Byfield is a troll. So why debate his accusations?

      Yes, there are many problems: patents, open standards, dmca restrictions and so forth. But open source is still the best of all worlds.

      RedHat as a company applies the usual tactics but as a community member gives a lot. Sure corporations are vulnerable to money. Novell is a good example...

    2. Re:Consider Red Hat's response vs. Debian's by wumingzi · · Score: 3, Insightful

      I pretty much agree: Fedora was obviously squelched by Red Hat corporate who was apparently afraid of the reaction of their paying customers///////////// shareholders. Despite the token board openings and motions about openness, after this nobody can pretend that Fedora is on anything but a *very* short leash held by Red Hat.

      As they say on that snarky message board across town, fixed it for ya.

      As a publicly traded company, Red Hat's primary responsibility is to produce a profit for its shareholders. That is the law. If the officers of the company do anything which interferes with that solemn legal duty, they risk lawsuits, and even jail time for breach of fiduciary responsibility.

      If an overly open disclosure policy is perceived to affect future sales or the value of the brand (i.e. "goodwill"), legal will tell them to say nothing unless they are breaking a bigger law (i.e. gross negligence) by saying nothing.

      It's strange, but it makes money, which the law says is the only thing that matters.

    3. Re:Consider Red Hat's response vs. Debian's by rtfa-troll · · Score: 4, Insightful

      Reading between the lines, it seems there's an ongoing investigation into the incident and they aren't allowed to communicate. I'll wait until I know much more about this before I make my final decision on how RedHat behaved.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    4. Re:Consider Red Hat's response vs. Debian's by InlawBiker · · Score: 3, Insightful

      That is ridiculous. The law does certainly not say that making money is the only thing that matters. Companies private and public have a responsibility to act in an ethical manner. That's what Sarbanes Oxley and ethics officers are for. Besides that it's poor public relations. It would have been in Red Hat's best interest to disclose details. If they had then maybe their credibility wouldn't be called into question.

    5. Re:Consider Red Hat's response vs. Debian's by segedunum · · Score: 5, Insightful

      I liked the way that Debian handled its server breach, and the more recent SSL bug.

      Unfortunately, that uncovered something perhaps more serious at the heart of Debian. Stop hacking on stuff downstream that you don't have any real idea about and that will only affect you if it blows up. The SSL thing has been a disaster waiting to happen, and it will probably happen again.

    6. Re:Consider Red Hat's response vs. Debian's by vrmlguy · · Score: 3, Insightful

      That is ridiculous. The law does certainly not say that making money is the only thing that matters.

      i agree that it's ridiculous. it is however true.

      http://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Company

      GP is right and you are wrong. Among non-experts, conventional wisdom holds that corporate law requires boards of directors to maximize shareholder wealth. This common but mistaken belief is almost invariably supported by reference to the Michigan Supreme Court's 1919 opinion in Dodge v. Ford Motor Co.

      --
      Nothing for 6-digit uids?
  2. Re:welcome to the world by earnest+murderer · · Score: 3, Insightful

    It's happened numerous times. Consider the Bruce's comment regarding Debian above.

    Frankly "a real business situation" sounds a lot like a metaphor for covering your ass at other people's expense.

    --
    Platform advocacy is like choosing a favorite severely developmentally disabled child.
  3. Re:welcome to the world by robo_mojo · · Score: 5, Insightful

    "Frankly" when business is more important than the customer, often the business isn't worth a damn.

  4. Does this justify the word "crisis?" by bogaboga · · Score: 5, Insightful

    Does this justify the word "crisis?" I doubt it does. In my opinion "conundrum" would be a better word.

    At first read, the heading made me think that Red Hat and Fedora communities were bickering big time, threatening timely releases of software we have [all] come to rely on. Of course this is not the case.

    So why the sensational heading?

  5. gotta say, this is BAD by pavera · · Score: 3, Insightful

    I used to be 100% redhat and fedora... Now I've moved almost all my systems to ubuntu, but I still run centos on a few servers.

    Every reputable tech company I deal with (ISP, Software, Hosting, Colo) has very clear, very open policies about outages, breaches, and security in general. If they don't I don't do business with them.

    I know the ins and outs of my ISP, Hosting, and Colo companies processes because I get emailed whenever I have an outage that says "we experienced an outage from x-y on day z, the outage was caused by our dumb admin who tripped on the power cable, we rewired our entire data center to move all of the power cables to the ceiling to prevent a similar outage in the future".

    Obviously that is a made up report, but it is extremely standard practice to let all your customers know a) when the problem happened, b) what caused the problem, c) concrete steps taken or procedures implemented to prevent similar problems in the future

    That RedHat has fallen so miserably short of this basic tenet of IT procedures is extremely scary.

    1. Re:gotta say, this is BAD by Bruce+Perens · · Score: 5, Insightful

      surprise surprise, our 850 RHEL4/5 installs had none

      You're very trusting with all that money. Someone else in the same situation might truthfully report: my vendor is keeping me the dark, I don't know the nature and degree of my own exposure.

      This would make me nervous.

      --
      Bruce Perens.
  6. Re:Press Releases... by Elektroschock · · Score: 3, Insightful

    Yeah, but that is the techie paranoia.

    Just because something can be done doesn't mean it actually happens. If I go to holidays and leave the door of my house open, it does not mean that something actually happens.

    The point is, Red Hat signs their packages. If their signing mechanism has been compromised, it is quite conceivable that every single Red Hat package is untrustworthy.... you must throw out all Red Hat packages on your system, because any could be compromised.

    Nonsense. Why should you "trust" RedHat Packages signed by employees?

    The whole signing shit is a troll for the privacy church. What they forget are the proportions and what is really important. We know exactly that the problem didn't affect us in the past and it won't affect us in the future now we found out. No need to panic.

  7. The jury must be very patient, indeed by Bruce+Perens · · Score: 4, Insightful

    The issue isn't even fully known, so you're jumping to conclusions.

    I would have phrased it differently: The issue isn't fully known, thus there's a problem.

    There's been quite a lot of time.

    --
    Bruce Perens.
  8. So what exactly is Red Hat hiding? by Rolman · · Score: 4, Insightful

    OK, some servers got hacked, the attackers didn't inject rogue packages into the repository servers so no customers/users were affected. Red Hat/Fedora responded by auditing everything and releasing a statement, along with tools to detect packages with the attackers' signature. Big deal.

    Seriously, what else is there to be known about it?

    Yeah, say whatever you want, but it's not as if Debian never had its servers compromised in a similar fashion, and never had to perform some PR damage control.

    Unlike Debian, Red Hat is a publicly traded company with a whole bunch of customers with signed SLAs. Handling such matters without press trolls all rolling over it spreading FUD and causing unnecessary panic is _not_ an easy task, as can be beautifully shown by TFA.

    I respectfully disagree with Bruce Perens. The Debian OpenSSL fiasco was so much more serious, damaging and dangerous to users all over the world, it's not even fair to compare. We're talking about millions of known networks and sessions compromised in Debian over a year and a half period, versus none in Red Hat over a week.

    I appreciate how Debian acted _after_ the fact, but was there any other way to handle such a terrible mishap?

    This is not about flawed Open Source policies, this is about seriously flawed journalism, where conspiracy theories are used to make a story where there is none.

    --
    - Otaku no naka no otaku, otaking da!!!
  9. Re:Press Releases... by Elektroschock · · Score: 4, Insightful

    Nice try. The problem with Techies is that they don't get the larger picture. They focus on the blinking red herrings they are so used to and where they believe in.

    We are talking about a serious flaw of a security model. True. But consider that most people run operating systems where executables are not signed at all.

    There is no indication here at all that anyone externally found out about the problem before. It is basically that you found out that what you did over the last two years was vulnerable to potential attacks. How will it affect the future? Not at all, as the issue gets fixed.

    Ah, and right now no one unauthorised actually has the key yet. It is only technically possible to crack it much easier...

  10. Re:Press Releases... by againjj · · Score: 3, Insightful

    And if the original compiler was gcc, and trojaned in the way the paper describes, then the triple compilation wouldn't catch it. Why? Step 1: the existing compiler builds binary 1 and inserts the backdoor. Step 2: Binary 1 builds binary 2 and inserts the backdoor. Step 3: Binary 2 builds binary 3 and inserts the backdoor. Step 4: binary 2 and binary 3 are compared, and if they are different, then there is an error. However, since all versions have the backdoor, there is no difference, and no error will be flagged. Try reading the linked article again.

    The triple compilation is not for detecting trojans, but "because the compiler will be tested more completely and could also have better performance."