Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Fedora-Red Hat Crisis

Soulskill posted more than 6 years ago | from the evidently-it-doesn't-start-at-the-top dept.

Red Hat Software 263

jammag writes "When Linux journalist Bruce Byfield tried to dig for details about the security breach in Fedora's servers, a Red Hat publicist told him the official statement — written in non-informative corporate-speak — was all he would get. In the wake of Red Hat's tight-lipped handling of the breach, even Fedora's board was unhappy, as Byfield details. He concludes: 'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies — especially publicly-traded ones — will act any better?'"

Sorry! There are no comments related to the filter you selected.

This is horrible. I am not joking. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24942407)

The Micropenis. [wikipedia.org] I repeat, it is HORRIBLE! Don't say you weren't warned.

Re:This is horrible. I am not joking. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24942573)

That's my penis, you insensitive clod!

Re:This is horrible. I am not joking. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24942691)

From the parent's article:

Finally, several Homeobox genes have been identified which affects penis and digit size without detectable hormone abnormalities.

WooHoo!
 
[Some brightly-colored yet sterile alcove in a business district, year 2020]
  Patron: "Hi, I'll have the Nigger Special, please."

Consider Red Hat's response vs. Debian's (5, Insightful)

Bruce Perens (3872) | more than 6 years ago | (#24942425)

I liked the way that Debian handled its server breach, and the more recent SSL bug. They realized that their first responsibility was to the users. They knew that not just Debian but all Debian derivatives like Ubuntu would be effected, and that the best way to handle it was to publish the full details and what they were doing to fix them. They came out of both situations looking better than Red Hat has this time. And it's not what Fedora looks like. Red Hat obviously took control, shutting off outside reporting in a way that never would have flown with a real Open Source project rather than a company dominating an Open Source project, and thus Red Hat got the loss of credibility.

The problem with a lot of corporate Open Source is that they ignore the ethical foundation of Open Source. And eventually we find out that Open Source isn't quite as good without the ethics.

Bruce

Re:Consider Red Hat's response vs. Debian's (5, Interesting)

Anonymous Coward | more than 6 years ago | (#24942597)

I pretty much agree: Fedora was obviously squelched by Red Hat corporate who was apparently afraid of the reaction of their paying customers. Despite the token board openings and motions about openness, after this nobody can pretend that Fedora is on anything but a *very* short leash held by Red Hat.

On the one hand, as a user I found myself trusting that Fedora's infrastructure crew were plugging away and probably handling things about as well as could be. On the other hand, the vague statements and lack of hard facts was (and still is) disturbing.

They should have come clean, and allowed the the community to vett their process.

Ob-FUD [just to poking Bruce for fun]: If they do come forth with details, it will be interesting to see if it was an ssh key compromised by the Debian flaw that caused this mess.

Re:Consider Red Hat's response vs. Debian's (4, Interesting)

Bruce Perens (3872) | more than 6 years ago | (#24942659)

Ob-FUD [just to poking Bruce for fun]: If they do come forth with details, it will be interesting to see if it was an ssh key compromised by the Debian flaw that caused this mess.

I got an email from Starfield a while back offering to re-key my SSL certificates because they had figured out that my original request was using Debian's compromised OpenSSL. I had already rekeyed by then.

Thawte is Debian based. I wonder if they had a problem.

Re:Consider Red Hat's response vs. Debian's (5, Interesting)

atomic-penguin (100835) | more than 6 years ago | (#24942819)

Thawte is Debian based. I wonder if they had a problem.

I checked our Thawte keys/certs against the SSL blacklist released by Debian. I checked several from Thawte, and could not find a potential compromised key/cert.

Also, we are a Red Hat customer. I have to agree, I prefer the way Debian handled their incident, versus the way this Red Hat incident is being handled. After reading the Red Hat Security Announcement the details are so vague, I am still not sure of the scope and reach of this vulnerability.

Re:Consider Red Hat's response vs. Debian's (3, Insightful)

wumingzi (67100) | more than 6 years ago | (#24942975)

I pretty much agree: Fedora was obviously squelched by Red Hat corporate who was apparently afraid of the reaction of their paying customers///////////// shareholders. Despite the token board openings and motions about openness, after this nobody can pretend that Fedora is on anything but a *very* short leash held by Red Hat.

As they say on that snarky message board across town, fixed it for ya.

As a publicly traded company, Red Hat's primary responsibility is to produce a profit for its shareholders. That is the law. If the officers of the company do anything which interferes with that solemn legal duty, they risk lawsuits, and even jail time for breach of fiduciary responsibility.

If an overly open disclosure policy is perceived to affect future sales or the value of the brand (i.e. "goodwill"), legal will tell them to say nothing unless they are breaking a bigger law (i.e. gross negligence) by saying nothing.

It's strange, but it makes money, which the law says is the only thing that matters.

Re:Consider Red Hat's response vs. Debian's (3, Insightful)

InlawBiker (1124825) | more than 6 years ago | (#24943123)

That is ridiculous. The law does certainly not say that making money is the only thing that matters. Companies private and public have a responsibility to act in an ethical manner. That's what Sarbanes Oxley and ethics officers are for. Besides that it's poor public relations. It would have been in Red Hat's best interest to disclose details. If they had then maybe their credibility wouldn't be called into question.

Re:Consider Red Hat's response vs. Debian's (-1)

Anonymous Coward | more than 6 years ago | (#24943375)

If an overly open disclosure policy is perceived to affect future sales or the value of the brand (i.e. "goodwill"), legal will tell them to say nothing unless they are breaking a bigger law (i.e. gross negligence) by saying nothing.

Sorry, but that's a fantasy. For one thing, their reputation is harmed by *not* fessing up. Secondly, that kind of logic could be used to justify covering up all kinds of malfeasance, but it won't fly in either a court of law or the court of public opinion.

And neither will the whole "we can't talk because it's under investigation" crap. If an ssh key was compromised somehow, you can say that without jeopardizing any legal process (and they damn well know it, so every time they mouth that BS they lose more credibility).

Re:Consider Red Hat's response vs. Debian's (2, Interesting)

Wheat (20250) | more than 6 years ago | (#24943429)

If an overly open disclosure policy is perceived to affect future sales or the value of the brand (i.e. "goodwill"), legal will tell them to say nothing unless they are breaking a bigger law (i.e. gross negligence) by saying nothing.

However, The Red Hat brand is synonymous with openness and trustworthiness - if they say nothing they could be affecting the value of their brand and breaking the law. But I've never studied any of the laws governing shareholder responsibility. Anyone with knowledge of these things care to comment on how these laws could be interpreted in this case?

Which law? Quotes please. (4, Interesting)

jotaeleemeese (303437) | more than 6 years ago | (#24943709)

I see very often this quoted without any substantiation.

I thought that the responsibility of a company was to stick to whatever they say they will do in their chapters of incorporation, then shareholders sharing that vision would finance the venture.

If the companies' own rules mandate that openness and accountability are part of how the company functions, and shareholders used their judgement and accepted that, profit may take a second seat in the view that in the long term, the business strategy of transparency is deemed to be necessary in turn to make the enterprise profitable.

The problem with many investors is their short-sighted, quarterly short termism and companies that do not ensure ways to handle that in a way that makes sense in a longer term.

Re:Consider Red Hat's response vs. Debian's (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24943819)

As a publicly traded company, Red Hat's primary responsibility is to produce a profit for its shareholders. That is the law. If the officers of the company do anything which interferes with that solemn legal duty, they risk lawsuits, and even jail time for breach of fiduciary responsibility.

But nowhere does it say that it has to be short term profit at the cost of anything else, although CEOs and their ilk appear to understand it that way, since that is the way they themselves profit the most.

Re:Consider Red Hat's response vs. Debian's (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24942619)

"The problem with a lot of corporate Open Source is that they ignore the ethical foundation of Open Source. And eventually we find out that Open Source isn't quite as good without the ethics. "

That reminds me. Are we still giving Tivo the silent treatment?

Re:Consider Red Hat's response vs. Debian's (1)

cryptoluddite (658517) | more than 6 years ago | (#24942681)

Did you consider that Red Hat may not have legally been able to give much more information? It probably took serious effort to compromise their system, more than some random hacker.

You're touting Debian, but what I wonder is would they even know they were hacked? Last time their servers were compromised wasn't it like several months before they even discovered it? Seriously, what good is 'oss reporting' of the problem if it has gone undetected for months? IIRC there was at least one ~2003 and one ~2006, but I don't remember how long between hack, discovery, and recovery.

Re:Consider Red Hat's response vs. Debian's (4, Informative)

Bruce Perens (3872) | more than 6 years ago | (#24943023)

Red Hat has an accepted path to make vulnerability information available, through CERT. There are no super crackers or super vulnerabilities that you can't talk about. Probably it was like the Debian situation. Someone got sloppy and had their password sniffed. Then once on the system a privilege-escalation vulnerability was used.

The Debian compromise lasted about two hours. The attacker had sniffed a developer password some time before then, but it wasn't until he could get root that he did anything dangerous, and he did stuff that revealed him to the site admins. The main problem was in the kernel, which had the privilege-escalation bug. Red Hat was vulnerable too.

Bruce

Re:Consider Red Hat's response vs. Debian's (3, Informative)

cryptoluddite (658517) | more than 6 years ago | (#24943385)

According to reports, Debian detected one compromise because of a faulty rootkit that, props to the author, but it had many, many flaws. The other compromise was detected by a 'filesystem integrity check' -- if you think that inspires confidence in people then GTFO. Those hackers screwed up... basically Debian only discovered their systems were compromised by dumb luck and simplistic checks.

This is why Debian isn't used by anybody even moderately serious about system security.

Probably it was like the Debian situation. Someone got sloppy and had their password sniffed. Then once on the system a privilege-escalation vulnerability was used.

"Probably" meaning "you hope", because it makes Debian look better by comparison. What you are engaging in is idle speculation, but what's known is that Red Hat are very serious about security.

Re:Consider Red Hat's response vs. Debian's (1)

anticlimate (1093749) | more than 6 years ago | (#24943803)

Butterfingers!
Sorry, I accidentally rated you Troll (was thinking on clicking Infomrative) - now I hope writing here will revert it...

Affecting me to effect change has a good effect. (1, Informative)

Anonymous Coward | more than 6 years ago | (#24942757)

They knew that not just Debian but all Debian derivatives like Ubuntu would be effected

Affected. The word is affected, not effected. Sorry Bruce, but I can't help it -- I'm an Anonymous Coward.

Re:Affecting me to effect change has a good effect (2, Funny)

Anonymous Coward | more than 6 years ago | (#24942855)

Disregard that. OP has it right. I suck cock and need grammar lessons.

Re:Affecting me to effect change has a good effect (1, Informative)

Bruce Perens (3872) | more than 6 years ago | (#24943181)

People have been dinging me on Effect vs. Affect for 3 decades. They are all right and all wrong, because legitimate dictionaries give one of the definitions of "affect" as "to have an effect upon".

Emerson to them all!

Re:Affecting me to effect change has a good effect (2, Informative)

75th Trombone (581309) | more than 6 years ago | (#24943283)

"Affect" DOES mean "to have an effect upon". That's not the disputed definition.

Perhaps when you switch them in your defense of your chronic switching of them, that's evidence that you're wronger than the other wrong people. :)

[Meant lightheartedly, I don't honestly care what you type.]

Re:Affecting me to effect change has a good effect (1, Informative)

Anonymous Coward | more than 6 years ago | (#24943661)

legitimate dictionaries give one of the definitions of "affect" as "to have an effect upon".

Indeed. Though you have attacked the wrong horn of the problem.

Affect = to have an effect on; to influence [something pre-existing]
Effect = to bring about, to implement [until finalized, hence more than an influence]; to cause to come into being [something not pre-existing]

It can't be easier for a non-native English speaker than for a native one, or can it?

Re:Consider Red Hat's response vs. Debian's (1, Funny)

Anonymous Coward | more than 6 years ago | (#24942771)

/. needs a +1 Bruce Perens option

Re:Consider Red Hat's response vs. Debian's (1, Funny)

Anonymous Coward | more than 6 years ago | (#24942915)

Why not just give him a +5 karma bonus on every post?

I also recommend adding a large red border to every post, and banner image containing the text: 'OMG! It's Bruce Perens!' flashing like a Las Vegas slot machine.

Re:Consider Red Hat's response vs. Debian's (0)

Anonymous Coward | more than 6 years ago | (#24942993)

Why not just give him a +5 karma bonus on every post?

I also recommend adding a large red border to every post, and banner image containing the text: 'OMG! It's Bruce Perens!' flashing like a Las Vegas slot machine.

Your mauther's a slot.

Re:Consider Red Hat's response vs. Debian's (3, Interesting)

that this is not und (1026860) | more than 6 years ago | (#24943293)

Anybody who has been on Slashdot long enough knows that the reason UID numbers are emblazoned right up on the top of each comment was because of Bruce Perens' hissy fit when someone with a slightly misspelled copy of his name came on Slashdot and started masquerading as him (in a fashion to mock him, for the most part).

Slashdot became ever so slightly less egalitarian that day, when 'UID cred' became something touted right up on the header of each comment.

So here's a long belated: Thanks, Bruce.

Re:Consider Red Hat's response vs. Debian's (0)

Anonymous Coward | more than 6 years ago | (#24943477)

AC who wrote the parent here. Mods: are you so completely clueless that you can't see a joke.

I wasn't even being sarcastic, it would be frickin' genius if Bruce Perens had a flashing banner. Better if the banner is obnoxious Flash, double-plus good (irony points) if it's a Silverlight banner.

Re:Consider Red Hat's response vs. Debian's (1)

Tubal-Cain (1289912) | more than 6 years ago | (#24943101)

This is what the "Friend" feature is for.

Re:Consider Red Hat's response vs. Debian's (3, Insightful)

Elektroschock (659467) | more than 6 years ago | (#24942917)

Bruse Byfield is a troll. So why debate his accusations?

Yes, there are many problems: patents [stopsoftwarepatents.org] , open standards, dmca restrictions and so forth. But open source is still the best of all worlds.

RedHat as a company applies the usual tactics but as a community member gives a lot. Sure corporations are vulnerable to money. Novell is a good example...

Re:Consider Red Hat's response vs. Debian's (0, Redundant)

the_B0fh (208483) | more than 6 years ago | (#24943089)

Wow. You should be working in the elections - why debate the issues when you dismiss a person.

Even better - redhat might suck, but all the other companies suck even more, so it's still ok...

I have just lost a little more hope in this world.

Re:Consider Red Hat's response vs. Debian's (4, Insightful)

rtfa-troll (1340807) | more than 6 years ago | (#24943007)

Reading between the lines, it seems there's an ongoing investigation into the incident and they aren't allowed to communicate. I'll wait until I know much more about this before I make my final decision on how RedHat behaved.

Re:Consider Red Hat's response vs. Debian's (3, Funny)

hdparm (575302) | more than 6 years ago | (#24943299)

Collective anxiety on Slashdot is unbearable. We sure hope that the info will be available soon, so we can find out what your final decision is. No doubt, Red Hat feels the same.

Re:Consider Red Hat's response vs. Debian's (0)

Anonymous Coward | more than 6 years ago | (#24943113)

They knew that not just Debian but all Debian derivatives like Ubuntu would be effected

I know that on average correct affect/effect use is a miss on /. but from Bruce? Sad times.

Re:Consider Red Hat's response vs. Debian's (0)

Anonymous Coward | more than 6 years ago | (#24943679)

I think you mean the ethical foundations of Free Software. The foundations of Open Source are you and ESR trying to trick corporations into freeing their code.

Re:Consider Red Hat's response vs. Debian's (5, Insightful)

segedunum (883035) | more than 6 years ago | (#24943853)

I liked the way that Debian handled its server breach, and the more recent SSL bug.

Unfortunately, that uncovered something perhaps more serious at the heart of Debian. Stop hacking on stuff downstream that you don't have any real idea about and that will only affect you if it blows up. The SSL thing has been a disaster waiting to happen, and it will probably happen again.

welcome to the world (0, Troll)

timmarhy (659436) | more than 6 years ago | (#24942505)

maybe when your a bare foot long haired hippy like stallman you can afford the luxury of disclosing everything to the world, but when your a company with peoples futures and jobs on the line often its not a good idea to expose all of the details.

frankly anyone who can't see that has never been in a real business situation before

The real world is a bit different than that. (2, Insightful)

Bruce Perens (3872) | more than 6 years ago | (#24942601)

The problem with not coming clean by 1) saying what happened and what you did wrong and 2) saying how you're going to fix it is that nobody will ever trust you again afterwards. IT managers now know that RH is going to go unresponsive when there's a problem. How can they trust Red Hat again? It might be different if RH was the only game in town, but there is an accepted standard for performance by thousands of Open Source projects in this sort of situation, and it's known as the best practice in the entire IT field, and Red Hat fell short.

They have to buy people's trust again now with their actions, and it's going to take years, if they even do it.

Re:The real world is a bit different than that. (1)

The End Of Days (1243248) | more than 6 years ago | (#24942951)

The problem with not coming clean by 1) saying what happened and what you did wrong and 2) saying how you're going to fix it is that nobody will ever trust you again afterwards.

That's only true for fairly limited definitions of nobody. Otherwise Microsoft would be a hell of a lot smaller than they are.

The Jury is Still Out (5, Interesting)

bill_mcgonigle (4333) | more than 6 years ago | (#24942979)

IT managers now know that RH is going to go unresponsive when there's a problem.

The issue isn't even fully known, so you're jumping to conclusions.

For some reason Fedora has to re-key all their repos and, while I think that's done, it's still being mirrored. One would assume a signing key has been lost.

Redhat isn't doing that. They apparently have a signing server, and a user's credentials were apparently lost, and some packages got signed, but not put in the repos. If you run a RedHat machine and get an unsolicited contact to install some new OpenSSH packages - don't.

I think Fedora has the bigger problem at the moment. Let them work through the problem, they know how to do this. When the users are safe (still an ongoing topic of discussion on how to best ensure this) my guess is they'll be releasing more information. I further suspect we'll learn that prior disclosure would have put users at more risk. We'll see.

How can they trust Red Hat again?

Historically the Fedora guys have been trustworthy to the extreme. That's why not everybody is jumping on them right now, despite the distro-partisans who smell blood in the water. Again, we'll re-evaluate our position on that once the dust settles.

The jury must be very patient, indeed (4, Insightful)

Bruce Perens (3872) | more than 6 years ago | (#24943069)

The issue isn't even fully known, so you're jumping to conclusions.

I would have phrased it differently: The issue isn't fully known, thus there's a problem.

There's been quite a lot of time.

Re:The jury must be very patient, indeed (3, Informative)

bill_mcgonigle (4333) | more than 6 years ago | (#24943779)

I would have phrased it differently: The issue isn't fully known, thus there's a problem.

There's been quite a lot of time.

That's true. The issue is can you say confidently that disclosure of the problem wouldn't put users at risk?

That's the only reasonable reason for the delay that I can see. Since these guys are usually quite reasonable I'm making the assumption that's what's going on (or something I've completely missed). It may turn out my trust was misplaced - we should know shortly. Jessee Keating just announced [redhat.com] updates are going out to the mirrors since I last posted.

Re:The Jury is Still Out (1)

awrowe (1110817) | more than 6 years ago | (#24943365)

I'm a relative newcomer to open source politics and whats more, I know very little beyond the basics about Red Hat/Fedora, but is it possible Fedora is re-keying all their repos because they no longer trust the Red Hat ones? Losing a signing key might be the reason, but coming so soon after Red Hat's security breach, I don't think so.

Just looking at the body language here, I think Fedora is more grumpy about the way Red Hat is dealing with this than they are letting on.

'Course I could be completely wrong, but thats what it reads like to me.

We do have Feodra's account of the incident (2, Informative)

Sits (117492) | more than 6 years ago | (#24943797)

For some reason Fedora has to re-key all their repos and, while I think that's done, it's still being mirrored. One would assume a signing key has been lost.

Have you already read the Fedora report? Fedora did release a report about the incident [lwn.net] . Within it they say that while an attacker was able to reach a Fedora signing system they do not believe that the key's passphrase was compromised. However it states that as precaution they have decided to create a new key.

The Red Hat side of things is different and far... trickier. I point you towards this LWN article about the intrusion [lwn.net] as I think it's hard to say such simple statements about it.

Re:The real world is a bit different than that. (1)

adamchou (993073) | more than 6 years ago | (#24943081)

The problem with not coming clean by 1) saying what happened and what you did wrong and 2) saying how you're going to fix it

This is a problem with Redhat's security so why would they need to disclose how the breach occurred and how they fixed it? You don't need to know my security protocols and infrastructure or the weaknesses in them so what makes you think Redhat is going to disclose to you theirs?

nobody will ever trust you again afterwards.

You're wrong here. No one that doesn't run a business will ever trust them again. But frankly, its not the consumer they're after anyways. Redhat has a reputation for leading the industry and releasing quality products in the past. This one incident isn't going to tarnish their name enough to stop using them

And if you'll RTFA, the issue the author is arguing about is

Under these circumstances, the company's wish to proceed cautiously and with as little publicity as possible is perfectly natural. The problem is that, in moving to defend its own credibility, Red Hat has neglected Fedora's.

Frankly, you have to understand that Redhat is a publicly traded corporation. They report to a board and to their investors. They did disclose what was wrong and the fixed it. Most likely, they fixed it as quickly as they could. They don't report to you or anyone else in the open source community. So don't expect them to sacrifice their own interests for the FOSS community.

Besides that, I still fail to see the real harm they caused the F/OSS community besides delaying what had happened. Anyone care to enlighten me?

Re:The real world is a bit different than that. (0, Troll)

Bruce Perens (3872) | more than 6 years ago | (#24943221)

They harmed the FOSS community because they got in the way of the FOSS developers responding appropriately to their own security problem.

They harmed their customers because a business with more than 50 people has SOx to deal with, and to pass their own audits must be able to assure their own security with more than just a "you're OK, we promise". Even if they didn't have SOx to deal with, it would be bad practice for any security officer to accept "just trust me".

Bruce

Re:welcome to the world (3, Insightful)

earnest murderer (888716) | more than 6 years ago | (#24942627)

It's happened numerous times. Consider the Bruce's comment regarding Debian above.

Frankly "a real business situation" sounds a lot like a metaphor for covering your ass at other people's expense.

Re:welcome to the world (1)

BiggerIsBetter (682164) | more than 6 years ago | (#24942905)

Frankly "a real business situation" sounds a lot like a metaphor for covering your ass at other people's expense.

That would be "risk management" and yes, it's a real business situation and S.O.P. in many places. Bruce's comment about "taking control" is exactly what I would expect from Red Hat from a business angle. It's just not what's expected from a community angle, where issues like the Debian situation are played out in the public eye.

Re:welcome to the world (1)

ckedge (192996) | more than 6 years ago | (#24943013)

> That would be "risk management"

Whose risk does it manage?

> it's a real business situation

What the **** does that mean? It doesn't sound like a good thing. You know there are lots of "real business situations" where both the company and the company's customers LOSE because the "business men" are greedy morons or idiots or both.

> S.O.P. in many places.

Yeah, it's SOP for submarines to dive and airplanes to go up and come down...

> is exactly what I would expect from Red Hat from a business angle

Are you criticizing them, congratulating them, or making excuses?

> It's just not what's expected from a community angle

So if there's a community involved, somehow right and wrong and good and bad are different?

I can't figure out what you mean to say, and so far you have said NOTHING of value. No offence, I honestly can't tell what you're saying.

Re:welcome to the world (1)

oldhack (1037484) | more than 6 years ago | (#24943573)

> That would be "risk management" Whose risk does it manage?

Risk of bad PR blowing up and getting their asses fired, what else? Stop being a pest. ;-)

Re:welcome to the world (5, Insightful)

robo_mojo (997193) | more than 6 years ago | (#24942645)

"Frankly" when business is more important than the customer, often the business isn't worth a damn.

Re:welcome to the world (1)

sleeponthemic (1253494) | more than 6 years ago | (#24942835)

"Frankly" when business is more important than the customer, often the business isn't worth a damn.

I don't know who this Frank bloke is - but I'd like to smoke some of the plants in his garden.

Linux for suits? (1)

mkcmkc (197982) | more than 6 years ago | (#24942673)

maybe when your [sic] a bare foot [sic] long haired [sic] hippy like stallman... [blah, blah, blah]

So you're saying that RedHat is now the Linux for suits? Quality is not the highest priority? I for one am not quite ready to believe it...

Re:Linux for suits? (1)

adamchou (993073) | more than 6 years ago | (#24943033)

This is nonsense. Them not wanting to disclose the reasons behind the security breach has nothing to do with the quality of their work.

Re:Linux for suits? (1)

the_B0fh (208483) | more than 6 years ago | (#24943141)

How can you tell? Was it caused by a lack of quality in their processes? Did some programmer post his private key in some hacker board? Without details, you simply can't tell.

People don't like it... (1)

slyn (1111419) | more than 6 years ago | (#24942741)

... when a major open source company/advocate isn't open. News at 11.

Re:welcome to the world (2, Informative)

sweet_petunias_full_ (1091547) | more than 6 years ago | (#24942841)

"Welcome to the world"

Not exactly.

"Welcome to another company controlled by lawyers."

Fixed it for you.

(And I even did it without shredding the evidence, NDA/gag orders, DMCA take down letters or all of the other CYA tactics peculiar to the legal profession.)

Re:welcome to the world (1)

Loki P (1170771) | more than 6 years ago | (#24943005)

But you're only talking about Red Hat's employees' futures and jobs. Instead, they should consider how many companies use their distribution, and consider all _those_ companies' employees' futures and jobs first.

> "when your a company with peoples futures and jobs on the line often its not a good idea to expose all of the details"

Press Releases... (1)

Z34107 (925136) | more than 6 years ago | (#24942543)

A "Linux journalist" talking to a "publicist" was told to read the press release?

I, too, without RTFA, would think most any company would be wary about talking about a recent server breach.

But, it doesn't matter - it's all open source, you can look at the lines of code and verify for yourself that they're safe, right? Not like what you can('t) do with Windows.

Re:Press Releases... (2)

Martin Blank (154261) | more than 6 years ago | (#24942641)

There are still ways to handle this which cover both the need to minimize chances of a recurrence and the desire of users to know what happened and whether they are also at risk. This could include specifying whether this was due to a software bug still under investigation, a configuration error which has been fixed, or possibly an internal sabotage. Exact details could remain forthcoming until such time as complete mitigating solutions are in place, especially if a patch needs to be released to handle it, which should take no more than a few weeks.

Re:Press Releases... (4, Informative)

FlyingBishop (1293238) | more than 6 years ago | (#24942765)

No, you can't...

This goes back to the whole "trusting trust" concept. You have no way of knowing if the source you've been given reflects the binary you're using, unless you yourself compiled it (and hand-crafted the compiler you're using in assembly, and made the assembly language for your CPU, and made your CPU, but those are a different discussion.)

The point is, Red Hat signs their packages. If their signing mechanism has been compromised, it is quite conceivable that every single Red Hat package is untrustworthy. The dates on the packages are only as trustworthy as the key, so there is no beginning or end time for this: you must throw out all Red Hat packages on your system, because any could be compromised.

Source really gives you very little assurance unless you compile it.

If we want to look at this in contrast to Windows, there's not really any comparison, since we barely even begin to have a grasp of their Byzantine updating system, and couldn't even speculate as to the effects of a similar problem on their side.

Re:Press Releases... (3, Insightful)

Elektroschock (659467) | more than 6 years ago | (#24942977)

Yeah, but that is the techie paranoia.

Just because something can be done doesn't mean it actually happens. If I go to holidays and leave the door of my house open, it does not mean that something actually happens.

The point is, Red Hat signs their packages. If their signing mechanism has been compromised, it is quite conceivable that every single Red Hat package is untrustworthy.... you must throw out all Red Hat packages on your system, because any could be compromised.

Nonsense. Why should you "trust" RedHat Packages signed by employees?

The whole signing shit is a troll for the privacy church. What they forget are the proportions and what is really important. We know exactly that the problem didn't affect us in the past and it won't affect us in the future now we found out. No need to panic.

Re:Press Releases... (1)

BlortHorc (305555) | more than 6 years ago | (#24943641)

The whole signing shit is a troll for the privacy church. What they forget are the proportions and what is really important. We know exactly that the problem didn't affect us in the past and it won't affect us in the future now we found out. No need to panic.

Wow. I can't really imagine a more concise way of saying "Never, ever consider hiring me for a technical role in any capacity at all". I mean, seriously.

Re:Press Releases... (1)

cgenman (325138) | more than 6 years ago | (#24943327)

If we want to look at this in contrast to Windows, there's not really any comparison, since we barely even begin to have a grasp of their Byzantine updating system, and couldn't even speculate as to the effects of a similar problem on their side.

Considering that signed executeables on windows has been a no-go for years, I think you're seeing the effects.

Re:Press Releases... (1)

saccade.com (771661) | more than 6 years ago | (#24943411)

If you want to understand just how scary a break-in like this is, read Ken Thompson's classic Turing Award Lecture, Reflections on Trusting Trust [bell-labs.com] .

Re:Press Releases... (4, Informative)

eggnoglatte (1047660) | more than 6 years ago | (#24942937)

But, it doesn't matter - it's all open source, you can look at the lines of code and verify for yourself that they're safe, right?

Wrong. I know this is common wisdom in the open source community, but it really isn't that simple when compilers are involved.

The reason is that the hackers COULD potentially have modified the binary of the compiler used to bootstrap the whole RedHat distribution. You can modify the compiler such that it takes harmless code and compiles backdoors into it. In particular you could modify it so that it always propagates the change when it compiles a version of itself. Since every system bootstraps from an already compiled version of the compiler, a well hidden backdoor could propagate forever, unless people actually analyze the machine code.

Read Ken Thompson's 1984(!) Turing Award lecture for the full nitty gritty details. This should be required reading for everybody in security (and all open source advocates, for that matter):

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.5728&rep=rep1&type=pdf [psu.edu]
(PDF)

You can rebuild everything from a known base. (1)

jotaeleemeese (303437) | more than 6 years ago | (#24943749)

At some point, you should have a compiler that is consider clean. You use that to compile, from reviewed source code, the latest and greatest compiler and generate the rest from there.

Well yes. (1, Insightful)

jotaeleemeese (303437) | more than 6 years ago | (#24943733)

But they already know what happened.

You would expect they disclose what went wrong, that would save time and money to everybody.

Now, how can anybody running a Red Hat system know it is safe?

Openness is an advantage over closed systems, and it is why many of us buy from companies that are more open, in all the senses of the world.

Losing sight of what makes them different, and thus desirable, is a recipe for financial trouble (their lawyers will be paid in any way, so they should actually use them to ensure maximum disclosure).

Crapper (1)

Tablizer (95088) | more than 6 years ago | (#24942575)

Shit! I have stock in RedHat

in a word- (0)

Anonymous Coward | more than 6 years ago | (#24942609)

shareholders.

Crisis? (1)

grilled-cheese (889107) | more than 6 years ago | (#24942709)

What exactly qualifies this as a crisis?

Does this justify the word "crisis?" (5, Insightful)

bogaboga (793279) | more than 6 years ago | (#24942719)

Does this justify the word "crisis?" I doubt it does. In my opinion "conundrum" would be a better word.

At first read, the heading made me think that Red Hat and Fedora communities were bickering big time, threatening timely releases of software we have [all] come to rely on. Of course this is not the case.

So why the sensational heading?

Re:Does this justify the word "crisis?" (1)

mikesd81 (518581) | more than 6 years ago | (#24942945)

Because it is a crisis when a distro's server was penetrated and packages are possibly untrustworthy. Maybe the title would be less confusing if it was Redhat/Fedora?

Re:Does this justify the word "crisis?" (1)

Bruce Perens (3872) | more than 6 years ago | (#24943245)

"Crisis" is polite language for what is really meant :-)

Re:Does this justify the word "crisis?" (0)

Anonymous Coward | more than 6 years ago | (#24943247)

"Conundrum" is harder to spell.

But since you ask,

crisis [etymonline.com]
c.1425, from Gk. krisis "turning point in a disease" (used as such by Hippocrates and Galen), lit. "judgment," from krinein "to separate, decide, judge," from PIE base *krei- "to sieve, discriminate, distinguish" (cf. Gk. krinesthai "to explain;" O.E. hriddel "sieve;" L. cribrum "sieve," crimen "judgment, crime," cernere (pp. cretus) "to sift, separate;" O.Ir. criathar, O.Welsh cruitr "sieve;" M.Ir. crich "border, boundary"). Transferred non-medical sense is 1627. A Ger. term for "mid-life crisis" is Torschlusspanik, lit. "shut-door-panic," fear of being on the wrong side of a closing gate.

conundrum [etymonline.com]
1596, Oxford University slang for "pedant," also "whim," etc., later (1790) "riddle, puzzle," also spelled quonundrum; the sort of ponderous pseudo-Latin word that was once the height of humor in learned circles.

I'll go with the 'turning point', myself.

Don't be fooled. (1, Informative)

fahrbot-bot (874524) | more than 6 years ago | (#24942805)

Fedora is independent from Red Hat as Saturn is (was) from GM. Ya, it's a little bit of a stretch, but stick with me, I think there's a parallel -- i.e., Saturn exists to benefit GM, not to build better cars.

From: GM'S SATURN PROBLEM [cnn.com]

Saturn wouldn't merely blossom as a division with protected status, free from the labor strife, stifling bureaucracy, and all the other dysfunctions of the mother corporation. No, it would also infect the rest of the company with its enlightened and effective management techniques. ...

Problem was, most Saturn buyers never traded up. While Saturn achieved its goal of attracting buyers who weren't typically interested in GM cars, it didn't change their opinions of the company. When owners sold their first Saturn, they typically bought a second one, or they shopped elsewhere. ...

For Saturn to survive, it needed to boost sales volume, cut engineering and manufacturing costs by borrowing more GM resources, and develop additional products in higher-profit segments by adapting existing GM designs. ...

Increasingly, pieces of the original Saturn were stripped away in the interest of efficiency, and the once-independent company was slowly integrated into GM.

Push come to shove, Fedora's needs will never come before Red Hats interests.

Semantic games (1)

93 Escort Wagon (326346) | more than 6 years ago | (#24942827)

'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies â" especially publicly-traded ones â" will act any better?'

You can argue that they are ignoring the spirit that many FOSS advocates believe in; but how is not making the details of this intrusion public "ignoring FOSS"? Is there a line somewhere in the GPL that states "If you're running GPL software, and someone hacks your system, you must make all details of the hack known"?

If solving the hack required Red Hat to modify code, they'll have to make the source available - but AFAIK that's all they're required to do.

Re:Semantic games (1)

pavera (320634) | more than 6 years ago | (#24942957)

The problem is that they are eating their own dogfood. If they were to disclose the method of attack, they would be protecting all of their customers, as their customers could take steps to prevent the same attack from succeeding against them. As it is, they are just leaving all of their customers open to a known hole.

Further, the fact that they have been so mum about the attack leaves people with 0 ability to mitigate any damage that may have been done. They admit that the attacker was able to sign modified SSH packages and distribute them. Fedora says the attacker was not able to sign any packages because they didn't have the passphrase and couldn't hack it.... So does RedHat not have a passphrase on their signing key? Do they keep it in plaintext on the signing server? Was theirs just really easy to guess? Point being, it looks to me like RedHat seriously dropped the security ball. They ought to admit it, and move on.

Re:Semantic games (3, Funny)

bursch-X (458146) | more than 6 years ago | (#24943049)

"If you're running GPL software, and someone hacks your system, you must make all details of the hack known"?

Sure you must, under the GPL even a hack would count as a derivative work, so the hackers have to make the source available, wouldn't they? ;-P

Re:Semantic games (5, Interesting)

melonman (608440) | more than 6 years ago | (#24943441)

Exactly. It's not a breach of any FOSS licence. It's possibly a breach of FOSS project best practice, but that isn't clear either, because we don't know how the problem happened or what code had to be modified to fix it.

Even if some FOSS code was modified, there is no licence obligation to distribute the changes unless you are distributing the binaries.

As I understand it, the security breach was that someone gained remote access to their servers. It doesn't necessarily follow that any of the code served by the servers was faulty. Last time I checked, not all the code running Redhat sites was open-source.

And the breach could well have been down to a sys admin error, rather than a problem with the codebase itself. It would obviously be acutely embarassing if Redhat's in-house team turned out to have made the kind of mistake that causes people to fail their RHCE exam, but it wouldn't have anything to do with FOSS.

Also, there may not be a simple answer to the 'what does this mean for me?' question. In the Debian case, the answer was quite simple, and so was the solution. The Redhat announcements sounded to me like "We know there was a breach, we don't know exactly what happened as a result, we don't think anything serious happened, but, to be on the safe side, we are changing all the locks."

Redhat's PR department obviously misjudged the best way to handle this incident, but the expectations of the FOSS community also seem unrealistic. When a company open-sources some code, it doesn't mean that anyone in the world gets unfettered access to all the information in the company. Reading TFA, I can't help but think that it is at least partly motivated by the blogger's outrage that Redhat didn't roll out the red carpet all the way to the server room for his terribly important blog.

gotta say, this is BAD (3, Insightful)

pavera (320634) | more than 6 years ago | (#24942831)

I used to be 100% redhat and fedora... Now I've moved almost all my systems to ubuntu, but I still run centos on a few servers.

Every reputable tech company I deal with (ISP, Software, Hosting, Colo) has very clear, very open policies about outages, breaches, and security in general. If they don't I don't do business with them.

I know the ins and outs of my ISP, Hosting, and Colo companies processes because I get emailed whenever I have an outage that says "we experienced an outage from x-y on day z, the outage was caused by our dumb admin who tripped on the power cable, we rewired our entire data center to move all of the power cables to the ceiling to prevent a similar outage in the future".

Obviously that is a made up report, but it is extremely standard practice to let all your customers know a) when the problem happened, b) what caused the problem, c) concrete steps taken or procedures implemented to prevent similar problems in the future

That RedHat has fallen so miserably short of this basic tenet of IT procedures is extremely scary.

Re:gotta say, this is BAD (4, Interesting)

Jailbrekr (73837) | more than 6 years ago | (#24942981)

I work for a 500 million dollar a year company, and we're a Redhat shop. We have no intent of switching because the "breach" had ZERO effect on its customers. Even though it had zero effect, they still released scripts to seek out and detect any potential vulnerabilities that were even remotely related to the "breach" (surprise surprise, our 850 RHEL4/5 installs had none). Redhat caught the "breach", made sure the damage was isolated to non production servers, and then informed its customer base and the public. The fact that they're not releasing the explicit details suurrounding the "breach" seems to suggest that they still investigating the source of the "breach" and quite possibly have law enforcement involved.

Redhat is doing the right thing, and for you to base your decision to switch on a grossly misinterpreted reaction reflects poorly on you, not them.

Re:gotta say, this is BAD (1)

pavera (320634) | more than 6 years ago | (#24943085)

Sorry,
I didn't mean to imply that I switched because of this, although upon re-reading my original post, I agree it reads that way....

I started switching after Fedora 3, which was such a colossal flop, and caused me way too many headaches... I moved most systems to centos at that time, then, since Ubuntu has released their server product, I've been using it and migrating systems from centos...

I unfortunately don't work for a 500 mil/yr company, and so can't afford 1500-2500/yr/server for security updates. I worked for 1 company that had the resources for RHEL licenses, and we never in 2 years called support, nor used anything but RHN for security updates... No way can I justify that expense for security updates to my current employer... Our systems run enough virtualized instances, and have enough processor sockets to require the Advanced Platform licenses which start at 1500/yr/server...

Re:gotta say, this is BAD (3, Interesting)

the_B0fh (208483) | more than 6 years ago | (#24943109)

Bleh. I've worked for multiple Fortune 100 companies, and for the most part, issues such as these do not make the radar of these companies. The most trouble you'll get is out of a few disgruntled users. Once a contract is signed, unless you pissed off the top brass, you typically have no problems.

OTOH, I'll disagree with you. Full disclosure means just that. At this point, they have not even said that they're going to disclose anything else, and it reflects poorly on you to go defend them.

Re:gotta say, this is BAD (5, Insightful)

Bruce Perens (3872) | more than 6 years ago | (#24943131)

surprise surprise, our 850 RHEL4/5 installs had none

You're very trusting with all that money. Someone else in the same situation might truthfully report: my vendor is keeping me the dark, I don't know the nature and degree of my own exposure.

This would make me nervous.

Re:gotta say, this is BAD (1)

Jah-Wren Ryel (80510) | more than 6 years ago | (#24943189)

The fact that they're not releasing the explicit details suurrounding the "breach" seems to suggest that they still investigating the source of the "breach" and quite possibly have law enforcement involved.

If that were the case, then they would have no excuse not to tell you that was the case and that full details would be forthcoming once it was no longer necessary to keep them secret.

Since they did not do that, it seems to suggest that your hypothesis is false.

Re:gotta say, this is BAD (1)

bill_mcgonigle (4333) | more than 6 years ago | (#24943027)

I know the ins and outs of my ISP, Hosting, and Colo companies processes because I get emailed whenever I have an outage that says "we experienced an outage from x-y on day z, the outage was caused by our dumb admin who tripped on the power cable, we rewired our entire data center to move all of the power cables to the ceiling to prevent a similar outage in the future".

Those are events with short-term fixes and you get notification after the fix is implemented, right?

Re:gotta say, this is BAD (1)

pavera (320634) | more than 6 years ago | (#24943169)

not necessarily... My colo recently had a major power outage which because of the nature of the outage (a brownout, then a complete drop) fooled the generator into turning on while the power was still on (during the brownout), then because the power was still on the generator shut itself down, and put itself in a state which required manual intervention to start up.. so when the power actually failed about 2 minutes later, the whole datacenter went down (after the 2-5 minutes of battery ran out)...

Anyway it was a major outage, but they sent a detailed email of what happened about 2 hours after the incident, once they had manually reset things and restored power and AC to the datacenter floor (the power outage lasted 2 days). Then, within another 4-6 hours, sent a detailed email specifying exactly what changes they were making to their power infrastructure to mitigate the problem in the future. These changes took more than a month to implement involving work from the power company, the generator company, and various electrical contractors. I received 1-2 emails per week detailing progress of the work, exactly what state everything was in, and estimated completion dates for everything.

I guess my point is, no, these aren't short term fixes and I get notification prior to the fix being implemented if it is a major issue.

My ISP is equally forthcoming about issues which cause outages on their network. Sure if its a small thing that they've already fixed, I'll get the notification after the fix, but for large issues, or issues which require ongoing work to actually remedy, I am kept in the loop as the situation is ongoing.

Seems to me going without security updates for 2-3 weeks would classify as a major outage. Further, if redhat has identified the attack vector, they should release it, as millions of other redhat servers are probably vulnerable to the same attack, and customers need to know so they can mitigate their exposure.

Re:gotta say, this is BAD (0)

Anonymous Coward | more than 6 years ago | (#24943643)

I know the ins and outs of my ISP, Hosting, and Colo companies processes...

Wow. What providers do you use?

This is an ongoing investigation (5, Interesting)

chill (34294) | more than 6 years ago | (#24942847)

This seems to be, from reading the Fedora [redhat.com] and Red Hat [redhat.com] statements, an ongoing investigation. The same way the police don't comment about investigations in progress, Red Hat is keeping mum. Keep in mind, the breach may be very complex and not something that they can confidently say "we understand" without a very detailed analysis.

They announced the issue immediately and took steps. For now, give them the benefit of the doubt that further details will be forthcoming once a proper investigation has been completed.

Re:This is an ongoing investigation (1)

Just Brew It! (636086) | more than 6 years ago | (#24943163)

It has been nearly a month since the original breach was noticed. That's an awful long time for people to be left hanging, wondering whether their systems are running potentially compromised packages.

Example of a broader oddity. (1)

fuzzyfuzzyfungus (1223518) | more than 6 years ago | (#24942873)

I'm not at all surprised that Redhat felt free to do whatever they felt like, fedora be damned, under the circumstances. What I don't understand, though, is why would doing what they did seem like a good idea?

Sure, getting compromised sucks, and having to admit it sucks; but in a world of fast moving internet gossip, paranoid *nixheads, and potential leaks, oozing some smarmy nonsense, losing face, and still having to admit it sucks even more.

I can understand why they would be tempted, if they thought that full concealment was possible; but why would anybody go with half concealment? It seems like you get the worst of both worlds. Everybody finds out anyway, and you look like a slimy suit. Why would you do that?

oh well... (1)

Sfing_ter (99478) | more than 6 years ago | (#24942919)

I stopped using RedHat (deadrat), about the time they went "fedora" - i did not care for some of the changes.

I do know that the govt. likes them a lot, and if you are a govt. contractor, sometimes you can only say certain things...

I don't see this as anti FOSS (4, Interesting)

Dr_Marvin_Monroe (550052) | more than 6 years ago | (#24942941)

There are a number of possible scenarios that would recommend against being 100% candid on how far you were breached. If I was violated, I think I'd like to take a moment to do a "self-check" on all of my important bits before I started telling everyone all of the nitty-gritty details. As the article pointed out, people were told that there was a breach, and that they should not update for a few days. How is this "anti-FOSS"?

Perhaps they were on the trail of who did this? Perhaps they were comparing notes with the Ubuntu breach cited in the article, with the goal of finding the M.O? Perhaps, like any police detective, they were keeping certain clues to themselves while they investigated further? If the crimes were found to have similar approaches, keeping quiet might improve the odds of capture?

I use Fedora, and had been using Red Hat before Fedora came along. I don't think this kind of hysterical "anti-FOSS" reaction is really fits the facts as I just read them. Perhaps they have not handled this in the best possible way, but that's far from "anti-FOSS." Just because you didn't get your precious packages today, doesn't mean they've gone all corporate spin-zone on the FOSS community. Again, I'm not saying that they've handled it as well as they could have, I'm just making the point that there might be reasons for not detailing publicly the many many disgusting ways that each and every one of their private bits have been violated and penetrated numerous times, over and over again....

Give-em a break guys, I'd be more concerned if they didn't tell anyone about the break-in at all. That would really be "corporate" behavior. Simply deny the breach and lawyer-up. As it is, they're trying to fix it, and if you're so antsy to get your packages immediately, the source and diff's are there for you to check yourself. If they start getting in the habit of this, folks will start contributing to, and using other distro's.. isn't that how FOSS is supposed to work?

So what exactly is Red Hat hiding? (4, Insightful)

Rolman (120909) | more than 6 years ago | (#24943129)

OK, some servers got hacked, the attackers didn't inject rogue packages into the repository servers so no customers/users were affected. Red Hat/Fedora responded by auditing everything and releasing a statement [redhat.com] , along with tools [redhat.com] to detect packages with the attackers' signature. Big deal.

Seriously, what else is there to be known about it?

Yeah, say whatever you want, but it's not as if Debian never [debian.org] had [debian.org] its servers compromised in a similar fashion, and never had to perform some PR damage control.

Unlike Debian, Red Hat is a publicly traded company with a whole bunch of customers with signed SLAs. Handling such matters without press trolls all rolling over it spreading FUD and causing unnecessary panic is _not_ an easy task, as can be beautifully shown by TFA.

I respectfully disagree with Bruce Perens. The Debian OpenSSL fiasco was so much more serious, damaging and dangerous to users all over the world, it's not even fair to compare. We're talking about millions of known networks and sessions compromised in Debian over a year and a half period, versus none in Red Hat over a week.

I appreciate how Debian acted _after_ the fact, but was there any other way to handle such a terrible mishap?

This is not about flawed Open Source policies, this is about seriously flawed journalism, where conspiracy theories are used to make a story where there is none.

New Fedora Key (5, Informative)

FrankDrebin (238464) | more than 6 years ago | (#24943203)

TFA says:

However, as of September 8, the crisis continues, with Fedora users still unable to get security updates or bug-fixes.

Not true. Go here: https://fedoraproject.org/wiki/Enabling_new_signing_key [fedoraproject.org] , follow the instructions and voila... updates available.

It ain't over yet (2, Insightful)

pembo13 (770295) | more than 6 years ago | (#24943443)

You can't really say they are keeping things quiet while things are still in progress. This isn't being swept under the rug, this seems to be pursued in all areas currently. If after everything, there is still no more information, then that is a story.

RedHat lost me when they split off Fedora (-1, Offtopic)

syousef (465911) | more than 6 years ago | (#24943559)

I moved from Slackware to Redhat. When Fedora came I stopped using Linux for a long time. It was clear the motivation was commercial and not in the interests of the customer. These days if I run Linux it's mostly on VMWare. I've still got an old dual boot machine that runs a very very outdated version of Redhat but I've probably booted into Linux on that machine twice in the last 5 or 6 years. I plan on putting a more recent flavour of Linux on it when I've decided between Debian, Unbuntu, Fedora and CentOS. Guess which 2 are looking a lot less compelling to me.

Buy your "What Would Debian Do?" wristbands... (1)

mapnjd (92353) | more than 6 years ago | (#24943791)

While Bruce and Debian are probably right, I do feel a certain "holier than thou" approach going on here.

If you owned a company and a junior engineer had done something _really_ stupid, you may not want to fully disclose the incompetence of one person as it would make your whole company look that bad.

In that case, a bit of corporate blather may look better than full disclosure...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?