Linux News
The world is talking about GNU/Linux and Free/Open Source Software

Login

If you don't have an account yet, visit the registration page to sign up.

If you already have an account, you may login here:

Today's Big Story

Why I Ditched Linux for Samsung DeX

LXer Features

Linux That's Small

Encryption, Trust, and the Hidden Dangers of Vendor-Controlled Data

My Linux Mint Tribute

How I Turned My Chromebook Into A "Mintbook"

Adventures With My New Chromebook

My Linux Laptop

Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

Publish it here.

DaniWeb Linux Community
An exciting professional discussion group about software development, php, shell scripting, networking, ruby, and more.

Latest Discussions

Good Advice

Straight frwd run archinstall 3.0.0 crashes in pipewiire section

Hyprland 0.45.0 has just been released for Arch Linux based

See Activation Cube feature on Fedora 41 KDE Spin in VENV

You don't need AI to know how this goes

Should be a SNL skit

Please add https to lxer.com

Anyone remember Distrotest.net? I found a new one!

Site Menu

Other News

- LWN.net
Their weekly coverage of Linux news is unmatched in this community.

- LinuxGizmos.com
Excellent news for embedded Linux.

- LinuxQuestions.org
Discussion forums for Linux users.

LinuxQuestions.org is a friendly and active Linux Community with forums, reviews, a hardware compatibility list, a wiki, tutorials, a download site, a podcast and more.

FUD: it was very timely

Story: Red Hat fesses up to Fedora FOSS security fiasco

Total Replies: 6

Author	Content
gus3 Aug 24, 2008 12:29 PM EDT	The lede alone got my FUDar going. Sure enough, the article is just a bunch of it. I think Fedora could have gotten the word out, with a full and correct analysis of the situation, and Mr. Davey Winder still would complain that it wasn't fast enough. Granted, I'm not familiar with Winder's writings, but in a world where vulnerabilities in other OS's can go without acknowledgment, let alone repair, for months or years, he certainly has bigger fish to fry.
hkwint Aug 24, 2008 12:54 PM EDT	Quoting:'he certainly has bigger fish to fry.' Maybe his wallet doesn't? In a 'slow' news week, one has to write something.
tuxchick Aug 24, 2008 1:01 PM EDT	I don't care for the slant of the article either, or the lack of information. He should have talked to some Fedora or Red Hat people. Davey Winder usually writes pretty good articles; this one is uncharacteristically whiny. What more could have been done? I thought Fedora did all the right things- they made an announcement as soon as they discovered the problem, and then disabled all downloads until they had time to investigate. Red Hat and CentOS have also issued public announcements. Quoting: The question now being asked is does Red Hat have what it takes to be able to deal with security breach disclosure in an accurate and prompt manner? In a manner that you might expect from a group upholding the FOSS promise? Sigh. Call me wacky, but I'd say that their track record (many years with no problems) and their quick, open response indicate that's a seriously stupid question.
hkwint Aug 24, 2008 4:03 PM EDT	Quoting:I thought Fedora did all the right things- they made an announcement as soon as they discovered the problem That's where Mr. Winder probably disagrees, he says it took a week before Fedora admitted a security breach.
tuxchick Aug 24, 2008 5:00 PM EDT	This was the first announcement: https://www.redhat.com/archives/fedora-devel-list/2008-Augus... Fri, 15 Aug 2008 "We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems." https://www.redhat.com/archives/fedora-devel-list/2008-Augus... Fri, 15 Aug 2008 "Uh oh. This sounds very much like there's been a security breach on infrastructure systems, which may have compromised packages or even repositories. I've disabled automatic installation of updates for the moment" https://www.redhat.com/archives/fedora-announce-list/2008-Au... Fri, 22 Aug 2008 "Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline....While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys." Am I the only one who actually reads these things? They were picked up almost instantly by every news service there is. No, they didn't instantly say there was a breach, because they didn't know. Immediate disclosure, prudent stopgaps, and a thorough investigation. It takes talent to spin that as something bad.
techiem2 Aug 24, 2008 7:05 PM EDT	That's probably about 1000x the amount of disclosure you'd get from MS, etc. You MIGHT see an update that if you actually look at its description says something like "this fixes an issue that could allow your updates to be compromised by a third party". Of course, they'd never announce it in public, and if it was brought up in public, they'd just downplay the significance.
jdixon Aug 24, 2008 10:23 PM EDT	> It takes talent to spin that as something bad. Agreed. It sounds to me like Red Hat did everything correctly. A notification of a possible problem with an appropriate warning as soon as they knew, and complete follow up information when it was available. What more could you ask? That a breach never happen? That they catch it before it happens? Get real. Security breaches happen. It's how you deal with them that matters.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!

Linux NewsThe world is talking about GNU/Linux and Free/Open Source Software