Meeting:Board Public IRC log 20080909

From FedoraProject

Jump to: navigation, search
mmcgrath OMGWTFBBQ? 10:59
spevack ok folks... welcome to the "public" room of the latest Fedora Board IRC meeting. 11:00
Jeff_S mmcgrath: yes 11:00
spevack As often, I will be your moderator. 11:00
spevack My job is to feed the questions you guys have into the moderated room, and the Board will answer them. 11:00
spevack I'm not sure if they have any agenda items to discuss today. 11:00
stickster Welcome everyone 11:01
spevack but at some point they will be ready for questions, so just fire away, and when the Board is ready, i'll paste them into their channel 11:01
spevack hi stickster 11:01
* mmcgrath waves at sir stickster 11:01
vallor spevack: I'm sure one of the questions on everybody's mind is the status of "Infrastructure" -- and are the rumors true that the bogusly-signed openssh packages were trojaned? 11:01
* spevack wonders why mmcgrath never addressed him as "sir" :) 11:01
spevack vallor: that question is now at the top of the queue 11:02
vallor thank you :) 11:02
-!- zcat [n=zcat@pdpc/supporter/active/zcat] has joined #fedora-board-public 11:02
lwnjake spevack: also, when might we find out more about exactly what happened to the infrastructure 11:03
nirik related question: any news/eta on more details from the investigation being released? 11:03
lwnjake heh 11:03
* spevack notes everything 11:03
nirik jinx. ;) 11:03
* ricky is around 11:03
bryan_kearney1 spevack: I would like to get feedback on the AOS Trademark request 11:03
-!- bjornts [] has joined #fedora-board-public 11:03
bryan_kearney1 spevack: if that diverges into "Should Fedora Require SELinux" that is cool 11:04
rdieter spevack: another hard ball, why wasn't the board informed of anything? (afaik, they're as much uninformed as anyone). 11:04
rdieter or so says mr. spoleeba 11:04
-!- hibana [n=inetpro@unaffiliated/hibana] has joined #fedora-board-public 11:04
-!- mdomsch [] has joined #fedora-board-public 11:05
-!- jwilliam [] has quit [Client Quit] 11:05
* spevack adds all of these to the queue 11:05
-!- mdomsch [] has left #fedora-board-public ["Leaving"] 11:05
mmcgrath spevack: you're king spevack thats why :) 11:05
spevack mmcgrath: :) 11:05
-!- jwilliam [] has joined #fedora-board-public 11:06
inode0 less touchy I think question: why no new installation media? seems a large pain to install systems with keys that we need to replace after installation?! 11:06
rdieter inode0: that's not a board question, imo, and was addressed in rel-eng meetings. In short, way way way more work. I don't think it's been ruled out, but the time to do that would be prohibitive. 11:07
nirik inode0: because that doesn't help any of the already burned media out there, and for doing something like 9.1 there would be export approval/legal to go thru (I think) 11:07
inode0 rdieter: I'm happy to get answers here whether the board hears the question or not 11:08
spot nirik: you're right on the spot there. ;) 11:08
* nirik nods. Happy to provide more info anytime inode0. ;) 11:08
nirik spot: cool. I love it when I am right. ;) 11:09
* spevack has all the questions asked so far queued up 11:09
inode0 is the first question about redhat packages or fedora packages btw? 11:10
spevack vallor: ^^^ see inode0's comment 11:10
nirik it would have to be about RHEL packages... 11:11
nirik which the board wouldn't likely be able to answer, but hey, I am not them, so lets see what they say. ;) 11:11
vallor spevack: I think it would be a bit unusual for the board not to (at least) recognize the impact of the "crisis" (mdomsch's article's term), on the Fedora community, including questions necessary for an informed assessment of our own systems' integrity. 11:12
spevack vallor: sure. i'm not disagreeing with that. just asking for clarification about whether you were referring to RHEL or Fedora ssh packages 11:14
vallor I'm referring to anything and everything in the incident where systems that were compromised -- and if that flows slightly into RHEL space, I think it is only prudent to explain that part of the incident, too. 11:16
spevack ok 11:16
vallor er, where systems were compromised * 11:16
inode0 clarification: is this an open town hall style meeting for the board to hear concerns and comments from the community or is there a list of appropriate topics I am not aware of? 11:16
spevack inode0: you can ask anything you want, as far as i am concerned. 11:16
spevack or make any statement you want. 11:16
spevack that's the point 11:17
vallor inode0: I'm not working from any list, if that's what you mean -- I just have some concerns, which are shared by other Fedora users that I have contact with, incl. colleagues in our local LUG 11:18
-!- tburke [n=tburke@nat/redhat/x-30bb7f9baa61c32c] has joined #fedora-board-public 11:18
bryan_kearney1 spevack: this is the SELinux issue 11:18
spevack tburke: you'll want to join #fedora-board-meeting also 11:18
spevack bryan_kearney1: go ahead. 11:19
* vallor has to point out that his company posts any and all problems that it faces on its front web page 11:19
-!- asdfasdf [] has joined #fedora-board-public 11:19
spevack we will feed all the questions in to the Board, don't worry. 11:19
spevack bryan_kearney1: did you have another question? 11:20
bryan_kearney1 i would like to see this discussiong occur 11:21
bryan_kearney1 right now, I have a trademark request DOA becuase of this 11:21
spevack bryan_kearney1: ah... your AOS question is an SELinux issue 11:21
* spevack connects the threads based on f-a-b posts 11:21
spevack bryan_kearney1: i got it now 11:21
bryan_kearney1 I gave up for F10 11:21
bryan_kearney1 but in reality, we need to either enforce a minimal set of technologies 11:21
bryan_kearney1 and define it 11:21
bryan_kearney1 or keep opinions to our selves 11:22
-!- asdfasdf [] has left #fedora-board-public ["Leaving"] 11:22
* spevack updates the question list 11:23
vallor what is f-a-b -- fedora-admin-board ? 11:23
-!- cyban [n=cyban@] has joined #fedora-board-public 11:23
spevack fedora-advisory-board 11:23
rdieter f.. advisory board (list) 11:23
vallor spevack: ah, thank you :) 11:23
-!- Half_Life [n=Angel@] has quit [Client Quit] 11:24
vallor are they talking about some kind of export restriction for SELinux? 11:26
vallor like it used to be with crypto? 11:27
inode0 vallor: my question wasn't related to your concerns which are perfectly appropriate 11:27
vallor (U.S. export restriction, I mean) 11:27
bryan_kearney1 notting... the net result wa no approval 11:28
nirik vallor: no, its about spins that disable selinux being able to say they are "Fedora" 11:28
bryan_kearney1 wa == was 11:28
-!- JonRob [] has joined #fedora-board-public 11:29
vallor nirik: thanks, didn't know what that was about 11:29
* lmacken yawns 11:29
lmacken SELinux should *always* be enabled by default for Fedora spins, imo. 11:29
lmacken fixing selinux bugs is not hard. 11:30
* nirik notes that in the FESCo meeting it was talked about making spins meet the release criteria 11:30
aa6e How many times has SELinux saved your bacon vs how many times caused grief? 11:30
bryan_kearney1 nirik: the issue is we did, and SELinux being enabled is not part of the criteria 11:31
bryan_kearney1 although folks feel it should 11:31
bryan_kearney1 if it it a criteria, define it 11:31
* nirik nods 11:31
vallor well, regarding the SELinux question, would it work to require it to be enabled, but give them a large knob, with which to easily turn it off? 11:31
* inode0 is not aware of selinux saving his bacon ever - but uses it anyway 11:31
nirik is the link BTW. 11:31
-!- Shambuku [n=dhyatt@] has joined #fedora-board-public 11:32
-!- jds2001 [n=jds2001@fedora/jds2001] has joined #fedora-board-public 11:32
* lmacken gets dejavu from 4 years ago 11:32
lmacken so, the question is -- why do you need to disable it ? 11:33
* nirik wonders if the board will get to any questions today or will keep rehashing. ;) 11:33
bryan_kearney1 sorry 11:33
bryan_kearney1 lmacken: wierd cases with appliance building and deploying 11:33
-!- herlo [n=clints@] has joined #fedora-board-public 11:34
zcat this selinux thing -- it only applies if you call the spin "Fedora" proper? so for something like "Eeedora" (where selinux is diabled) it wouldn't apply? 11:34
nirik zcat: yeah, it's trademark usage... so something can use the Fedora name/brand. 11:34
jds2001 correct. 11:34
lmacken bryan_kearney1: boot and use the spin in permissive -- then file a bug with the denials. 11:35
jds2001 I thought fesco already dealt with this piece of it, since it was brought to our attention. 11:35
bryan_kearney1 lmacken: that is what I ended up doing, but in theory if you use the spin and build it with disabled there could be issues 11:35
* rdieter wonders if the board is going to get to the good/juicy stuff anytime soon. :) 11:35
ongolaBoy rdieter:be patient ;) 11:36
* inode0 wonders if the juicy bit is saying they (a) don't know or (b) can't comment at this time anyway 11:36
-!- vwbusguy [n=scott@] has joined #fedora-board-public 11:37
vallor spevack: Sir, quick point of order -- is there an actual "chief executive" in charge of the Fedora project -- someone with a final veto power -- or is this all being handled by committee? 11:38
* vallor confesses he doesn't know 11:38
nirik bryan_kearney1: is this f9 or f10? 11:38
vwbusguy I'd like to know what security changes in regard to the repos / updates and stuff, if any other than the key change, if it hasn't been discussed yet 11:38
bryan_kearney1 nirik: f10 11:39
spevack vallor: The Fedora Project Leader has that power. 11:39
nirik bryan_kearney1: should work to have it enabled. What errors did you see? 11:39
vallor spevack: thank you 11:39
spevack vallor: no problem 11:39
spevack vallor: that is stickster 11:40
bryan_kearney1 nirik: lemme get you the info 11:40
vallor okay, thank you 11:40
mmcgrath The beef! Where is it? 11:40
bryan_kearney1 nirik: In this, I am a bit of a spokesdude 11:40
nirik bryan_kearney1: ok, no worries... as far as I know it should work. I would say for sure file bugs... 11:41
nirik dwalsh is a bug fixing fiend. 11:41
bryan_kearney1 nirik: will do 11:41
vwbusguy spevack, I had one 11:41
vwbusguy spevack, I'd like to know what security changes in regard to the repos / updates and stuff, if any other than the key change, if it hasn't been discussed yet 11:41
inode0 spevack: vwbusguy asked one too 11:41
quaid bryan_kearney1: dude, sorry if you got burned on the trademark stuff and F10 features :/ 11:41
bryan_kearney1 quaid: no issues... 11:42
bryan_kearney1 quaid: I really just want approval for 10 11:42
-!- goeran [] has joined #fedora-board-public 11:42
spevack vwbusguy: i'll add that too 11:42
vwbusguy spevack, thanks 11:42
bryan_kearney1 quaid: if the end result is getting a list documented, that is a great outcome 11:42
ongolaBoy what is NDA please ? 11:43
spevack ongolaBoy: NDA is a non-disclosure-agreement 11:43
ongolaBoy thx spevack 11:43
spevack 11:43
* rdieter isn't liking the answer, if you can't trust your board, then you're sol. 11:44
-!- deegee [n=deegee@unaffiliated/deegee] has joined #fedora-board-public 11:44
ivazquez Yeah, I don't like the paranoia much either. 11:44
vallor rdieter: agreed 11:44
rdieter fwiw, maybe for future boards, they *should* have a NDA 11:44
* nirik isn't sure that would help any 11:45
ricky I think the implication is that the board wasn't involved 11:45
ricky In the sense of: "People in the board that were involved were involved for different reasons" 11:45
vallor rdieter: may be, for security matters -- what they need is to develop and publish a security plan that everyone can agree to 11:45
rdieter vallor: that too, of course. 11:46
-!- deegee [n=deegee@unaffiliated/deegee] has quit [Read error: 104 (Connection reset by peer)] 11:46
JonRob vallor +1 11:46
-!- gregdek [] has joined #fedora-board-public 11:46
* ricky switches rooms 11:48
* jds2001 has a formal relationship with RHT and is under NDA - not that it helped me in this situation (nor should it have, I had no reason to know). 11:49
vallor rdieter: sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other? 11:49
JonRob vallor: i believe there is already a private list for the board 11:49
vallor rdieter: I'm a big proponent of transparency, but I understand the need to keep mum in an initial security response 11:49
-!- abadger1999 [n=abadger1@] has joined #fedora-board-public 11:50
jds2001 there's a private list already. 11:50
vallor k, just wondered 11:50
-!- deegee [n=deegee@unaffiliated/deegee] has joined #fedora-board-public 11:50
lwnjake spevack: we still haven't heard when we will hear more ... 11:51
skvidal lwnjake: b/c we don't know 11:52
* nirik didn't think his and lwnjake's question was really answered. ;) 11:52
-!- deegee [n=deegee@unaffiliated/deegee] has left #fedora-board-public ["Konversation terminated!"] 11:52
lwnjake nirik: exactly 11:52
rdieter vallor: mum is fine, but I expected that our *elected/community* representatives would have at least been kept in the know 11:52
nirik skvidal: ok, is there at least an idea or who thats gating on? ie, the investigation is still on-going? or ? 11:52
tc1415 rdieter: i would prefer everyone or noone tbh 11:52
skvidal the investigation is still ongoing 11:53
rdieter tc1415: I guess we disagree then 11:53
spevack nirik: i will note that 11:53
nirik ok. fair enough. And no ETA (ballpark) on it? 11:53
skvidal nirik: it's like asking a private detective when they think they'll find your kidnapped daughter 11:53
skvidal we don't know 11:54
* ricky returns 11:54
nirik ok. 11:54
rdieter skvidal: lie?  :) exactly 3.4 days, no problem. 11:54
skvidal rdieter: yes, in no more than 1439.4 days 11:54
skvidal give or take half a decade 11:54
rdieter or simply say, *we don't know*, which afaik, hasn't actually been said (officially). 11:54
vallor spevack: please relate my thanks to f13 :) 11:55
lmacken mmcgrath: did you say you were going to start the incident response plan ? 11:55
* lmacken recalls saying he would help 11:55
gregdek GIMME BACK MY SON!!! 11:55
spevack gregdek: -1 (Troll) 11:55
qwer Is there anything administrators of Fedora systems need to to to avoid a similar break-in? 11:55
mmcgrath lmacken: yeah its on my docket but at this point still months out so if you wanted to get started don't let me stop you. 11:55
lmacken cool. I'm going to go on a SOP writing binge right now (IDS, SELinux, Incident response)) 11:56
vwbusguy spevack, I didn't mean to imply secrecy with the repo changes, just curious as to an ongoing strategy 11:56
vallor gregdek: "You can have your son back, just as soon as we've debriefed'll see him in, say, another month..." 11:56
spevack *** any other follow-ups on security/infrastructure stuff? otherwise, when they break, i will move on to the other questions *** 11:57
aa6e gregdek: ,,, after the election... 11:57
tburke rdieter: isn't "its an ongoing investigation" the same as saying "we dont' know" 11:57
qwer Is there anything administrators of Fedora systems could do to avoid a similar break-in? 11:57
jds2001 spot: no, but plenty of other companies have had to deal with it :) 11:58
jds2001 though +1 11:58
rdieter tburke: fine, then *say so*. If it's not said explicitly, folks make their own (often incorrect assumptions) 11:59
vallor qwer: leave SELinux turned on? (thread mash-up) ... but seriously, do we know when updates will start happening again for F9? I guess knowing the roadblocks to that would allay some fears that this is a huge problem, that is still ongoing... ? 11:59
bjornts The information problemswith the infrastructurre breach point right back at RedHaaat. They have the power. Is there a channel to voice our concern witth the beaaahaviouuuur of Redhat in this matter? 11:59
jds2001 vallor: updates are flowing 11:59
vallor jds2001: hmm 11:59
jds2001 d'oh, maybe not a new fedora-release to point you to em 12:00
lmacken vallor: selinux would not have prevented this incident 12:00
-!- SMParrish [] has joined #fedora-board-public 12:00
rdieter bjornts: legal stuff sucks, what else is there to say? 12:00
vallor jds2001: so there's a fedora-release rpm that I gotta grab to get updates moving again? 12:01
herlo So the patches that have been made and fixes that were applied to the infrastructure, did they help in solving this issue? 12:01
bryan_kearney1 spevack: one edit, I would like to get an updown on the second request 12:01
bryan_kearney1 AOS is Appliance Operating System 12:01
jds2001 vallor: it will be pushed to the old repos soonish 12:01
herlo I mean, what's to stop someone from doing this sort of break-in again? 12:01
-!- JonRob [] has quit [Client Quit] 12:01
spevack bryan_kearney1: write exactly what you want me to paste ;) 12:01
jds2001 vallor: i know that content is seeded to mirrors already 12:01
bjornts rdieter: Legal is one thing. I cannot free myself from suspecting that a lot more could have beenn released without legal problems.... 12:01
vallor jds2001: thanks I wasn't aware of that 12:02
-!- aa6e [n=ewing@] has quit [Client Quit] 12:02
rdieter bjornts: you can suspect all you want... doesn't make it true. 12:02
bryan_kearney1 spevack: AOS spin is still awaiting trademark approval, with selinux enabled (--permissive). We need additional feedback 12:02
bryan_kearney1 spot, I understand 12:02
bryan_kearney1 spot: I made changes per the feedback I got, and have gotten no new feedback 12:02
bjornts rdieter: True. But nothing indicates that it's false either - and that is part of the problem. 12:03
rdieter bjornts: law enforcment (and lawyers) really don't like it when folks involved in an ongoing investigation, talk publically about details. sad, but true. 12:04
vallor rdieter: I think relying on a "law enforcement attitude" is inimical to the goals of the Fedora project -- particularly, the attitude of "don't worry, we know what's best" is especially frustrating 12:06
-!- kikker46 [n=kikker46@] has quit ["leaving"] 12:06
bjornts rdieter: Of course they don't. And I realise they had to hold back. But they were holding back to the point where Fedora users kneew they might have a problem but no clue what, RH users were llikely to have a problem but had no idea. 12:06
jds2001 vallor: frustrating, but necessary when law enforcement is likely involved. 12:06
BB|AtWork spevack what beer is the boards favorite! :) 12:07
bjornts rdieter. Thus setting themselves up for serious legal problems if customers/users had been burned 12:07
rdieter vallor, bjornts : no... other... option. period. 12:07
spevack BB|AtWork: heh 12:07
bryan_kearney1 stickster: I appreciate that, which is why we went back to turning it back on. No need to force hte SELInux discussion now. 12:07
bryan_kearney1 stickster: but, still need this to get the F10 Feature done 12:07
jds2001 quaid: question is clear.... 12:08
bryan_kearney1 i like the secondary mark 12:08
tc1415 in my opinion, not that it matters, if, for any reason, you _imply_ that the Package Collection may be compromised, you from that moment have a duty of care to say *there and then* _why_ you are implying that 12:09
bryan_kearney1 i like "Powered By Fedora" 12:09
vallor jds2001: having had experience with law enforcement and security incidents (including the 1998 "pentagon hacker" situation), I know that LE likes to throw lids on things that don't need lids -- for instance, not disclosing what happened doesn't help, since the bad guys _do_ know what happened, which means the bad guys have more info than the good guys! 12:09
* vwbusguy really likes "Powered by Fedora" and would like it even more if Fedora would package a separate secondary artwork rpm 12:09
vallor (to put it in simple terms) 12:09
jds2001 vwbusguy: secondary artwork rpm is there. 12:09
vwbusguy like a fedora-logos-OEM.noarch.rpm 12:09
bryan_kearney1 vwbusguy: +1 12:09
jds2001 vwbusguy: generic-logos 12:10
bryan_kearney1 jds2001: no.. those are anti-logos 12:10
* jds2001 hasn't actually looked at them :) 12:10
bryan_kearney1 jds2001: the same logos, with Fedora Gimp'ed out 12:10
jds2001 yeah, the artwork team could probably work on the secondary logos after we figure out stickster's two other questions :) 12:12
vwbusguy yeah, as much as possible it would be neat to have a powered by Fedora logo 12:12
vwbusguy I like "powered by fedora" a lot better than "based on", because it implies more of the credit to Fedora 12:13
bryan_kearney1 stickster: where?? 12:13
vwbusguy and less ambiguity as to what the OEm would be giving the customer 12:13
bryan_kearney1 quaid.. why secondary? 12:14
bryan_kearney1 selinux is enabled, just permissive 12:14
vallor rdieter vallor, bjornts : no... other... option. period. <--- "That is not an argument." 12:14
quaid bryan_kearney1: talking about the disabled version 12:14
inode0 powered by and based on imply two very different things to me 12:14
quaid bryan_kearney1: also, permissive hasn't passed releng review :D 12:15
bryan_kearney1 quaid: sorry 12:15
zcat "Powered by Fedora*" <small>*selinux-neutered edition</small> 12:15
quaid bryan_kearney1: trying to figure out what would happen if you didn't get main mark approval 12:15
quaid bryan_kearney1: IMO, secondary mark is going to be good enough for a lot of stuff if we market it correctly. 12:15
rdieter vallor: ok, option 2: disobey law-enforcment/lawyers, and blab anyway, risk imprisonment, getting sued. better? 12:15
spot i can't go back to prison. 12:16
bryan_kearney1 quaid: I will be pragmatic... I just want one tiny feature in F10 12:16
jds2001 stickster: we came up with the same thing IIRC - releng+spin SIG, come back when you have something :) 12:16
vallor somehow, I don't think the situation is that black/white ... i.e., false choice fallacy 12:16
bryan_kearney1 quaid: at this rate, I dont know if I can make it 12:16
rdieter vallor: don't assume 12:16
vallor but why not explain to the men and women in blue the special needs of the Fedora community, and find out what other piece of info can be disclosed 12:16
quaid bryan_kearney1: in terms of FESCo approval for the feature? 12:17
bryan_kearney1 no FESCo approved the Feature, Spin SIG Approved the SPIN 12:17
bryan_kearney1 Need Board Trademark Approval 12:17
quaid bryan_kearney1: so the timing is possible with the end-of-month target for TM stuff 12:18
rdieter vallor: good luck with that. :) 12:18
bjornts rdieter: Either you were privvy to the discusssionns with LE, or you are assuming. Which is it? 12:18
vallor rdieter: Sir, an attitude that you won't consult with the lawyers, or the LE, implies that the task might need to be delegated...if you are unwilling to check it for yourself, and for the benefit of the Fedora community? 12:18
bjornts rdieter: Nott that I'm not ready to agree to disagree with you by now. :) 12:19
herlo spevack: Not sure if this is applicable to the previous discussoin in the board but, So the patches that have been made and fixes that were applied to the infrastructure, did they help in solving this issue? 12:19
herlo I mean, what's to stop someone from doing this sort of break-in again? 12:19
bryan_kearney1 quaid: Beta Freeze is 2mrw, yes? 12:19
quaid bryan_kearney1: yes ... 12:19
rdieter herlo: investigation is still ongoing... 12:19
quaid but if the Feature is approved,that is unrelated to putting the TM on a spin 12:19
vwbusguy I'll try to get some time and submit logo ideas to the fedora artwork team 12:20
herlo rdieter: sure, I get that 12:20
bryan_kearney1 quaid: unless me enabling SELInux is required _and_ causes issues (dont know if it will) 12:20
rdieter herlo: and all that is said, is that they can't say more. :) 12:20
vwbusguy But I need guidelines first 12:20
herlo rdieter: I'm more interested in what updates/patches they've already put in place (even if they were already planned changes) 12:20
inode0 herlo: I don't think anyone has suggested that the problem could be fixed with a patch 12:20
herlo rdieter: no, you miss th epoint 12:21
vwbusguy Let's please not make the Vista Capable vs Vista Premium Ready. We need to be clear and specific with this in a way that isn't confusing to end users, not just OEMs. 12:21
herlo inode0: no, wasn't suggesting that either, just wondering what we can do if anything to secure our boxes now, while we wait 12:21
jds2001 lol spot 12:21
quaid bryan_kearney1: I'm just trying to sort out the urgencies and timing 12:21
bryan_kearney1 quaid: to be honest, it raised my risk level 12:22
bryan_kearney1 quaid: but not 10 100% 12:22
quaid bryan_kearney1: I don't see that the TM process is holding back your feature being in F10, and I'm unclear if a TM approval process affects the Feature process. 12:22
bryan_kearney1 whoops but not to 100% 12:22
rdieter herlo: I get the point, but asking for more details, when they're not allowed to give any, means.. well... 12:22
vallor herlo: well, you know what? Unless I hear more information, I'm going to have to assume they don't know how the bad guys broke in. That's the only rational reason I can come up with why folks are unwilling to talk to Red Hat legal, as well as LE, to disclose at least that -- in otherwords, it would seem "there is no 'there' there" :( 12:22
bryan_kearney1 quaid: without TM approval, the SPIN will not be hosted 12:22
tc1415 vallor: +1 12:22
bryan_kearney1 quaid: which is part of the Feature 12:22
herlo rdieter: wasn't asking for those sorts of details, more interested in *how* to protect my boxen 12:22
lwnjake vallor: that seems very plausible 12:23
* spot remembers an old quote about assumptions 12:23
rdieter something about an ass. 12:23
spot it involves a donkey and tijuana. 12:23
spot wait, that was college. 12:23
spot never mind. 12:23
inode0 herlo: why do you think you need to do more is my question? 12:23
tc1415 spot: an absense of information forces us to assume 12:23
quaid bryan_kearney1: I'll have to look again at the entanglements, but the Feature could be removed later before release, yes, if it failed to meet the final marks. 12:23
spot tc1415: oh, i know. 12:23
quaid bryan_kearney1: but here is what is confusing me: 12:23
bryan_kearney1 quaid: well.. removal is not my goal here 12:24
tc1415 and speculation is _always_ more damaging than the real thing 12:24
quaid let's say I make a feature called "Easily enable/disable SELinux from a panel button" 12:24
* herlo wants to be sure that the changes implemented at fedora infrastructure are ones he should implement. I'm sure there are common security issues that everyone takes care of, but I'm more interested in the edge cases like this one 12:24
spot tc1415: yes, so by all means, continue speculating. :) 12:24
herlo I'm just trying to see if there's anything viable to do while waiting for the final information, that is all 12:25
inode0 speculation is the nature of scientific thought - perfectly normal human behavior 12:25
quaid bryan_kearney1: understood; but the battle over SELinux usage doesn't affect your feature being approved _right_now_, so that means the timing is dependent on the TM process being finished. 12:25
tc1415 inode0: precisly! and spot: i intend to 12:25
rdieter herlo: many breakings are due to social engineering and/or insider jobs too. what of it? 12:25
lmacken what's wrong with system-config-selinux ? 12:25
jds2001 stickster: dont bend poelcat's arm too much, it might break like mine did :) 12:25
* herlo goes back to teaching security 12:25
-!- BB|AtWork [] has left #fedora-board-public ["Leaving"] 12:25
-!- jwilliam [] has left #fedora-board-public [] 12:25
quaid lmacken: sorry, it's a point I'm making :) 12:25
herlo rdieter: I know that, I think my question came across as naive, it wasn't intended to sound that way 12:25
lmacken quaid: ah 12:25
quaid would my feature be blocked? 12:26
bryan_kearney1 quaid: I believe that getting the spin into release engineering is held up by TM Approval 12:26
quaid because of TM usage? 12:26
stickster jds2001: o noez, no broken wings! 12:26
quaid bryan_kearney1: OK 12:26
bryan_kearney1 quaid: per kanarip, the process is SPIN->TM (Board) -> RELENG 12:26
spot tc1415: if you're looking for outlandish topics to add to speculation, you can include "Theo De Raadt", "the plight of the Australian Thylacine" and "ipchains" 12:26
bryan_kearney1 quaid: since the feature includes a spin, it is on the critical path 12:26
spot oh yes, and fairies. 12:27
tc1415 hey i like fairies.... 12:27
tc1415 [/sarcasm] 12:27
spot damn fairies. always all up in our internets, signing our packages. 12:27
-!- spevack [n=spevack@fedora/mspevack] has left #fedora-board-public [] 12:27
bryan_kearney1 i can haz pxedust? 12:27
rdieter herlo: you're assuming a technical flaw, or security exploit existed, that required fixing. may or may not be true. still doesn't mean anyone that knows can/will comment. 12:27
quaid bryan_kearney1: agreed, just making sure I understood the nature of the path 12:28
-!- stickster changed the topic of #fedora-board-public to: Next public Fedora Project Board meeting: TBA -=- 12:28
vallor well, thank you for relating what you felt comfortable with relating, spevack -- meanwhile, by not asking the tough questions, we remain in the dark...but at least stickster answered one question in pm, quote: I am in pretty much constant contact with the folks doing the investigation. 12:28
spot rdieter: well, at least not communicating with useful data. 12:28
quaid bryan_kearney1: I think you can argue with Spin that in this case, they need to temporarily waive the TM question, which happens to be dependent on ... Spins. 12:28
vallor but the follow up question -- and the question that was asked more than once, was: do they know how the break-in happened, and is that hole now plugged? 12:28
bryan_kearney1 quaid: will rel-eng buy that? 12:28
quaid bryan_kearney1: so the spin can go through in time for the release schedule, with a final dependency on the TM approval 12:29
* rdieter is glad not to be on the board anymore.  :) 12:29
bryan_kearney1 quaid: then I have to argue to have rel-eng spit out something which is not approved by the board 12:29
vallor and even that, stickster won't answer. 12:29
bryan_kearney1 quaid: I know how that will go 12:29
quaid bryan_kearney1: I don't know, but it seems to me that by being willing to wander off map and risk grues, you get some special consideration :) 12:29
spot vallor: dude, he can't answer. neither can i. 12:29
bryan_kearney1 quaid: I would prefer no special consideration :) 12:29
spot we're not going to risk prosecution for you. no offense. 12:29
stickster Yeah, I mean, I love Fedora, but I also love living at home, with my wife and kids. 12:30
bryan_kearney1 stickster: near carl's... yum 12:30
spot the instant we can, we will. 12:30
lwnjake spot: but that is exactly the problem, fully community distros would not face that 12:30
stickster bryan_kearney1: I wasn't going to mention Carl's, but... yeah, sure. 12:30
quaid lwnjake: not so 12:30
spot lwnjake: they would if their hosting provider got hacked. 12:30
quaid lwnjake: or do you refuse to show your driver's license when law enforcement requests it? 12:30
bryan_kearney1 stickster: it should be G*d->Wife->Carls->Country 12:30
vallor spot: Sir, you guys really need to go back to LE and legal and get permission to disclose that bit of information -- because if you can't answer that simple question in the affirmative, how do you think that feels to the end user? 12:31
-!- ivazquez [n=ivazquez@fedora/ignacio] has left #fedora-board-public ["I'm taking my ball and going home..."] 12:31
lwnjake hmm, skeptical 12:31
stickster 12:31
quaid spot: moreso, if you have a machine that is hosted by a provider or over broadband ISP, I bet the usage policy has some language about what they expect of you to do if you get cracked. 12:31
-!- goeran [] has quit [Client Quit] 12:31
lwnjake we have seen plenty of community distributions be *much* more open when this kind of thing has occurred 12:32
spot vallor: yep. we're trying, trust me. 12:32
quaid lwnjake: it just depends on the situation 12:32
spot lwnjake: it really really does depend on the situation. 12:32
quaid lwnjake: in this case, it happens to be a first -- community + publicly traded company in the same cage 12:32
skvidal lwnjake: no 12:32
tc1415 spot: does that mean LE are telling you not to? as in _specifically_ "you must not disclose to the Fedora comunity who we now understand exist" 12:32
skvidal lwnjake: this kind of thing never happened on any other distro 12:33
lwnjake for which we have to take your word ... not that i question it, i believe you all have the best of intentions 12:33
bryan_kearney1 stickster: If I send you 10 bucks, think you could get me a chocolate malt, extra malt? 12:33
spot tc1415: it means there is an ongoing investigation and we can't comment on ongoing investigations. 12:33
lwnjake skvidal: weren't some debian servers hacked a ways back? 12:33
tc1415 lwnjake: yes they were 12:33
skvidal lwnjake: was canonical also hacked? 12:33
lwnjake quaid: *that* is the key piece of the puzzle 12:33
vallor well, thank you gentlemen, I appreciate the efforts shown in this board meeting, and I would like to +1 the format -- very efficient. :) 12:33
skvidal lwnjake: no, they weren't 12:33
spot vallor: thanks for stopping by. 12:34
skvidal lwnjake: which is where the issue explodes outward 12:34
stickster vallor: We are here every month -- or at least we try our darnedest to be. 12:34
quaid lwnjake: to be clear, I use the term 'cage' in a generic sense, not in the datacenter sense :) 12:34
spot hey, we keep many of our best people in cages! :) 12:34
skvidal lwnjake: if this had just involved fedora, then it would have been a different thing, most likely. 12:34
skvidal lwnjake: but there was more to it and we had to talk together for better or worse 12:34
lwnjake skvidal: most likely 12:34
lwnjake it really reflects most poorly on Red Hat imo 12:35
skvidal lwnjake: but saying 'in this situation' in reference to other distros is disengenuous 12:35
skvidal b/c no other distro has ever had this situation 12:35
tc1415 indeed, and with that, good night everyone 12:35
lwnjake skvidal: i disagree 12:35
skvidal lwnjake: the debian event is not an analogue 12:35
skvidal it does not match up at all 12:35
skvidal there was no publicly held company involved 12:36
lwnjake bingo 12:36
skvidal so it doesn't match 12:36
lwnjake my point is that a truly community distro would not have this problem 12:36
lwnjake you just made that point for me, thanks ... 12:36
quaid there is no such thing 12:36
skvidal lwnjake: I'm not sure what game of gotcha you are playing 12:36
-!- tc1415 [i=blewis@fedora/tc1415] has left #fedora-board-public ["Off to eat pudding..."] 12:36
quaid in the sense of what you mean' 12:36
skvidal lwnjake: but I'm not playing the game 12:36
quaid but regardless 12:36
lwnjake there's no gotcha ... 12:36
quaid the point still works with "donated hosting provider who also got cracked" 12:36
quaid s/cracked/attacked/ whatever 12:37
spot damn. i thought this was lwn, not the reg. 12:37
-!- John5342 [] has left #fedora-board-public ["Does anybody actually read these messages?"] 12:37
spot anyways. 12:37
stickster I think lwnjake's point is that he has a specific definition of "community distro." It may not be the same as some other people's definition. 12:37
-!- spot [i=spot@redhat/spot] has left #fedora-board-public ["Leaving"] 12:37
quaid if $distro were at $hosting_provider that also happens to be owned by a publicly traded company, maybe they'd call $the_law, and we'd be having this same discussion about _them_ 12:37
-!- hibana [n=inetpro@unaffiliated/hibana] has left #fedora-board-public ["conversation brought to an end"] 12:37
lwnjake red hat legal has hung y'all out to dry ... 12:38
quaid stickster: yes, but that stillw orks 12:38
lwnjake that's my point ... and it is a personal one, not professional ... i am a longtime fedora user 12:38
quaid attached on community distro + publicly held company == different situation than attack on community distro alone 12:38
lwnjake exactly 12:38
quaid wouldnt' matter which community distro 12:38
quaid and Fedora matches the definition, yep 12:39
lwnjake debian? 12:39
skvidal lwnjake: here's an example 12:39
quaid it happens the biggest community contributor is Red Hat 12:39
lwnjake slackware? 12:39
quaid which also owns the mark, etc. 12:39
skvidal lwnjake: a debian server gets crack 12:39
skvidal ed 12:39
skvidal lwnjake: the cracker hosts A LOT of kiddie porn 12:39
skvidal and terrorist documentation 12:39
quaid good example 12:39
skvidal the hosting provider gets a national security letter 12:39
skvidal debian is down and out 12:39
skvidal and not allowed 12:39
skvidal AT ALL 12:40
skvidal to speak about it 12:40
skvidal would that be a failing of debian? 12:40
lwnjake we can discuss scenarios all day, it doesn't change the fact that you folks can't even confirm whether you know how the intrusion occurred 12:40
skvidal or would it be the fact that law is different 12:40
quaid or did someone hang them out to dry? 12:40
vallor quaid: I guess the chilling factor is folks' unwillingness to take these concerns (which are most likely held by everybody who care about the integrity of the software on their systems), to legal/LE, explaining that this isn't an "ordinary" break-in case, and that us starving dogs could sure use a bone :) 12:40
lwnjake which makes me uncomfortable running the distribution ... 12:40
skvidal vallor: unwillingness? 12:41
quaid lwnjake: I thought all the "can't comment on an ongoing investigation" stuff covered that; why is that bad? 12:41
skvidal vallor: seriously? do you think anyone has been unwilling? 12:41
stickster vallor: I think that's probably not a valid characterization. 12:41
skvidal vallor: do you think we haven't asked? 12:41
quaid vallor: you assume that wasn't done, isn't being done, nor is not part of the discussion 12:41
skvidal vallor: do you think we wenjoy this?! 12:41
lwnjake quaid: because it comes from red hat legal or at least that is the perception 12:41
skvidal lwnjake: and? 12:41
lwnjake skvidal: i am sure you don't enjoy it and i am sure you folks have done everything you could to rectify the situation 12:42
skvidal lwnjake: there is only one step which hasn't been taken yet 12:42
skvidal no one has quit 12:42
skvidal and even if someone did 12:42
skvidal they STILL could not talk about it 12:42
vallor skvidal, stickster, quaid: try to put yourself in my shoes -- I'm pretty much in the dark, and nobody will confirm to me that whatever hole there was is now plugged. I can't see why LE/legal wouldn't allow you to answer that question, given the special nature of the community affected 12:43
skvidal so it would be a useless gesture 12:43
inode0 observation: people expect a lot from Fedora because its community is exceptional ... and in this case Fedora's community success has led to unreasonable expectations 12:43
skvidal vallor: every patch we've applied is public 12:43
rdieter inode0: +1, totally. :) 12:43
jds2001 inode0: +1 12:43
skvidal vallor: everything we have in terms of software, you have 12:44
skvidal vallor: EVERYTHING 12:44
-!- ongolaBoy [n=willy@] has left #fedora-board-public [""too much for me now""] 12:44
skvidal I cannot talk about the status of the intrusion - I can only comment on the systems I help maintain 12:44
vallor skvidal: that's comforting to know...except, my software hasn't been updated since Aug. 12th... and early, a kind gentleman pointed out that there was some fedora-release rpm pending, which would swing us over to the newly-signed packages 12:45
skvidal vallor: if you have a account 12:45
skvidal log in 12:45
skvidal run rpm -qa 12:45
skvidal vallor: yes, that's been announced quite a bit 12:45
skvidal vallor: on lwn in fact 12:45
vallor by the way, I appreciate your willingness to discuss this 12:46
-!- daju [n=daju@unaffiliated/daju] has quit [Client Quit] 12:46
-!- Jeff_S [n=jeff@osuosl/staff/Jeff-S] has left #fedora-board-public [] 12:46
skvidal I am only telling you what's already been disclosed 12:46
skvidal all of the above is public knowledge 12:46
rdieter I think it helps for people need to hear it, re-iterated, lathered/rinsed/repeated 12:47
quaid rdieter: +1 12:47
vallor skvidal: so there's a link to this rpm somewhere in LWN? I haven't been reading LWN, I've been watching the fedora announce list :/ 12:47
lwnjake hear what? 12:47
* inode0 reminds board members and other "Fedora consumed" parties that everyone else can't keep up with every meeting and other bit of "public information" about this 12:47
rdieter that almost made sense. 12:47
quaid maybe we can get some new voices saying it, too 12:47
spoleeba inode0, and we can? 12:47
stickster vallor: 12:48
stickster And 12:48
spoleeba inode0, how am I different than everyone else? 12:48
quaid f-announce-l is the king 12:48
* vallor just pulled it up... 12:48
skvidal msg stickster I'm pretty sure I'm safe here but please tell me if I've said something I shouldn't have 12:48
skvidal haha 12:48
lwnjake so is the "official announcement" imminent? 12:48
skvidal oh well 12:48
quaid I am different now, for the first time in all my years, Fedora is my $dayjob 12:49
vallor stickster: where is that announcement here? 12:49
quaid and I still can't keep up :) 12:49
ricky vallor: Announcement of what? 12:49
inode0 spoleeba: I have no idea how you are different than everyone else but I'm pretty sure you are. :) 12:49
spoleeba inode0, im pretty sure im not 12:49
ricky Your IRC nick ends with an 'a' 12:50
skvidal ricky: and his nick has changed many times over the years 12:50
skvidal  :) 12:50
spoleeba ricky, yes.. im not afraid to show my feminine side by using an irc name with a feminine spanish ending..i guess that does make me different 12:50
stickster skvidal: YOU ARE SAFE 12:50
inode0 spoleeba: I'm pretty sure I'm different than everyone else too 12:50
vallor btw, someone should tell #fedora about this announcement, I've been assuming they would say something :/ 12:50
skvidal stickster: thanks ;) 12:51
vallor heck, I'll tell them 12:51
* ricky still doesn't know what new announcement is being discussed 12:51
inode0 my point was something else entirely though that I suspect was missed 12:51
vallor ricky: 12:51
ricky There was fedora-announce-list, which was regularly spammed on #fedora 12:51
spoleeba ricky, its jesse's 'we are almost there i promise' message from yesterday 12:51
stickster vallor: Um, it's the fifth one down, indented slightly? 12:52
ricky Aha, I don't think the last one was spammed :-) 12:52
ricky (There was a script to post some of the earlier ones repeatedly) 12:52
lwnjake so, do we expect the "more formal announcement" soon? 12:52
vallor stickster: ah, missed that 12:52
stickster vallor: We recommend all Fedora community members subscribe to fedora-announce-list 12:52
spoleeba lwnjake, for an undisclosable value of soon.... sure 12:52
stickster You should too, and then you'll get the email roughly the minute it comes out 12:52
skvidal spoleeba: s/undisclosable/unknown/ 12:53
inode0 lwnjake: I'd recommend not expecting that - less chance of being disappointed 12:53
spoleeba skvidal, i actually know when.. i have a time machine 12:53
skvidal excellent 12:53
lwnjake perhaps " 12:53
lwnjake We expect things to wrap up by the end of today 12:53
lwnjake or early tomorrow. 12:53
spoleeba skvidal, but i will not threaten the timeline by revealing the information 12:53
lwnjake was a bit premature 12:53
jds2001 vallor: [jstanley@rugrat 9]$ pwd 12:53
spoleeba lwnjake, thanks 12:53
jds2001 /mirror/fedora/updates/9 12:53
jds2001 [jstanley@rugrat 9]$ ls 12:53
jds2001 i386 i386.newkey SRPMS SRPMS.newkey x86_64 x86_64.newkey 12:53
jds2001 gack 12:53
skvidal could you get me a newspaper from my birthday :) 12:53
spoleeba lwnjake, in the future ill make sure we make statements even more speculative 12:53
jds2001 oh well, that's what wass in the pastebin i was gonna paste. 12:54
spoleeba lwnjake, and more abstract 12:54
spoleeba lwnjake, because everyone loves it when we do that 12:54
stickster spoleeba: Actually, they love it whether we do that, or not. 12:54
jds2001 note that is my home mirror, and I have content signed with the new key. 12:54
jds2001 I have seen it with my own two eyes. 12:54
vallor I'm going to sign up for the announce list -- at least I'd be a little further along in figuring out what happened :) -- but I'll own that, I missed the update on the mailing list archive 12:54
spoleeba jds2001, you should get more eyes... 12:55
stickster vallor: The good news is, that list is normally only a handful of messages a week, so it's not going to jam your inbox with a lot of stuff. 12:55
stickster But we try and put things there that are of general interest, to keep people informed. 12:55
jds2001 spoleeba: I'll have them implanted in the back of my head :) 12:55
lwnjake thanks all for the discussion ... gotta go ... 12:55
-!- lwnjake [n=jake@] has quit [Read error: 104 (Connection reset by peer)] 12:56
vallor subscribed! :) 12:58
-!- inode0 [n=inode0@fedora/inode0] has quit [Client Quit] 13:00
vallor thank you, folks -- take care :) 13:00

Generated by 2.6 by Marius Gedminas - find it at!