Developments
In this section the people, personalities and debates on the @fedora-devel mailing list are summarized.
Contributing Writer: Oisin Feeley
Intrusion Recovery Slow and Steady
A politely phrased request[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01102.html ] was made on 25-08-2008 by Mike Chambers for information about when normal service would resume. Enigmatically Dominik 'Rathann' Mierzejewski observed[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01122.html ] that there had been “some speculation on fedora-advisory-board that might explain the information blackout, so please don't jump to conclusions until you really know what happened” This led Chris Adams to observe that the list archives appeared to be offline and to restate the request for information “[...] in the absence of information, rumors and speculation fill the gap (which is not good).”
Several days later (on 28-08-2008) a similar request was made[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01308.html ] by Alan Dunn. He wondered whether bodhi was pushing updates out again and JoshBoyer responded[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01309.html ] that planning and implementation of “how to revoke the current gpg key used to sign RPMs” were in progress. Jesse Keating cautioned[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01310.html ] that the migration to a new key would be slow “I'm currently re-signing all of the 8 and 9 content with these new keys so that we can make them available along with the new updates with the new key for these product lines. This is going to take some time due to the nature of how our signing works.” A proposal mooted[footnote: http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html ] on @rel-eng by Warren Togami provided some insight into at least the part of the plans that involve the problem of how to distribute a new package signing key.
nodata asked[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01313.html ] whether the new plans included a means to push out critical security updates even while there was a general outage. The thinking behind this seems to be that an attacker could decide to knock out Fedora infrastructure in order to gain some time to exploit a known vulnerability even if a simple fix existed. Jesse Keating replied[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01314.html ] confidently that in such a scenario the Fedora Project would do “whatever it takes [...] to get a critical update onto a public webserver should the need arise” and cautioned against trying to plan for every possible scenario. Toshio Kuratomi added[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01316.html ] that although it might be possible to speed up recovery “[...] unfortunately if the infrastructure problem is bad enough, there's no way we can push package X out until the problem is at least partially resolved.”
On 27-08-2008 Paul Johnson noted that it was possible to “compose and build” and asked “when will updates via yum become available for rawhide?” Jeremy Katz responded[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01249.html ] that “[a]t the moment, the compose is falling over for new reasons unrelated to the infrastructure changes. Hopefully we'll see a rawhide make its way out to the masses real soon now.” Later Mike Chambers and Ola Thoresen reported[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01350.html ] that updating from Fedora 9 to Rawhide seemed to be working. Several Rawhide Reports appeared[footnote: https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01339.html ].