Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Fedora-Red Hat Crisis

Posted by Soulskill on from the evidently-it-doesn't-start-at-the-top dept.

jammag writes "When Linux journalist Bruce Byfield tried to dig for details about the security breach in Fedora's servers, a Red Hat publicist told him the official statement — written in non-informative corporate-speak — was all he would get. In the wake of Red Hat's tight-lipped handling of the breach, even Fedora's board was unhappy, as Byfield details. He concludes: 'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies — especially publicly-traded ones — will act any better?'"

9 of 263 comments (clear)

  1. Consider Red Hat's response vs. Debian's by Bruce+Perens · · Score: 5, Insightful
    I liked the way that Debian handled its server breach, and the more recent SSL bug. They realized that their first responsibility was to the users. They knew that not just Debian but all Debian derivatives like Ubuntu would be effected, and that the best way to handle it was to publish the full details and what they were doing to fix them. They came out of both situations looking better than Red Hat has this time. And it's not what Fedora looks like. Red Hat obviously took control, shutting off outside reporting in a way that never would have flown with a real Open Source project rather than a company dominating an Open Source project, and thus Red Hat got the loss of credibility.

    The problem with a lot of corporate Open Source is that they ignore the ethical foundation of Open Source. And eventually we find out that Open Source isn't quite as good without the ethics.

    Bruce

    --
    Bruce Perens.
    1. Re:Consider Red Hat's response vs. Debian's by rtfa-troll · · Score: 4, Insightful

      Reading between the lines, it seems there's an ongoing investigation into the incident and they aren't allowed to communicate. I'll wait until I know much more about this before I make my final decision on how RedHat behaved.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    2. Re:Consider Red Hat's response vs. Debian's by segedunum · · Score: 5, Insightful

      I liked the way that Debian handled its server breach, and the more recent SSL bug.

      Unfortunately, that uncovered something perhaps more serious at the heart of Debian. Stop hacking on stuff downstream that you don't have any real idea about and that will only affect you if it blows up. The SSL thing has been a disaster waiting to happen, and it will probably happen again.

  2. Re:welcome to the world by robo_mojo · · Score: 5, Insightful

    "Frankly" when business is more important than the customer, often the business isn't worth a damn.

  3. Does this justify the word "crisis?" by bogaboga · · Score: 5, Insightful

    Does this justify the word "crisis?" I doubt it does. In my opinion "conundrum" would be a better word.

    At first read, the heading made me think that Red Hat and Fedora communities were bickering big time, threatening timely releases of software we have [all] come to rely on. Of course this is not the case.

    So why the sensational heading?

  4. The jury must be very patient, indeed by Bruce+Perens · · Score: 4, Insightful

    The issue isn't even fully known, so you're jumping to conclusions.

    I would have phrased it differently: The issue isn't fully known, thus there's a problem.

    There's been quite a lot of time.

    --
    Bruce Perens.
  5. So what exactly is Red Hat hiding? by Rolman · · Score: 4, Insightful

    OK, some servers got hacked, the attackers didn't inject rogue packages into the repository servers so no customers/users were affected. Red Hat/Fedora responded by auditing everything and releasing a statement, along with tools to detect packages with the attackers' signature. Big deal.

    Seriously, what else is there to be known about it?

    Yeah, say whatever you want, but it's not as if Debian never had its servers compromised in a similar fashion, and never had to perform some PR damage control.

    Unlike Debian, Red Hat is a publicly traded company with a whole bunch of customers with signed SLAs. Handling such matters without press trolls all rolling over it spreading FUD and causing unnecessary panic is _not_ an easy task, as can be beautifully shown by TFA.

    I respectfully disagree with Bruce Perens. The Debian OpenSSL fiasco was so much more serious, damaging and dangerous to users all over the world, it's not even fair to compare. We're talking about millions of known networks and sessions compromised in Debian over a year and a half period, versus none in Red Hat over a week.

    I appreciate how Debian acted _after_ the fact, but was there any other way to handle such a terrible mishap?

    This is not about flawed Open Source policies, this is about seriously flawed journalism, where conspiracy theories are used to make a story where there is none.

    --
    - Otaku no naka no otaku, otaking da!!!
  6. Re:gotta say, this is BAD by Bruce+Perens · · Score: 5, Insightful

    surprise surprise, our 850 RHEL4/5 installs had none

    You're very trusting with all that money. Someone else in the same situation might truthfully report: my vendor is keeping me the dark, I don't know the nature and degree of my own exposure.

    This would make me nervous.

    --
    Bruce Perens.
  7. Re:Press Releases... by Elektroschock · · Score: 4, Insightful

    Nice try. The problem with Techies is that they don't get the larger picture. They focus on the blinking red herrings they are so used to and where they believe in.

    We are talking about a serious flaw of a security model. True. But consider that most people run operating systems where executables are not signed at all.

    There is no indication here at all that anyone externally found out about the problem before. It is basically that you found out that what you did over the last two years was vulnerable to potential attacks. How will it affect the future? Not at all, as the issue gets fixed.

    Ah, and right now no one unauthorised actually has the key yet. It is only technically possible to crack it much easier...