On Sun, Dec 14, 2003 at 05:55:30PM +0100, Ingo Juergensmann wrote:
> On Sun, Dec 14, 2003 at 09:05:39AM -0700, Joel Baker wrote:
>
> > Remember, these machines are, behind the archives, perhaps the most
> > implicity trusted machines in the entire project. Compromise the archives,
> > and you can silently sprinkle trojans throughout any package on any port.
> > Compromise a buildd, and you can silently sprinkle trojans throughout any
> > newly compiled package on one port.
>
> Well, compromise the machine of some DDs and you have the same. Compromising
> machines opens are serious security issue regardless for what the machine is
> used.
Yes. But debian-admin is not responsible for those machines; therefore,
they are irrelevant to the discussion of "why hasn't debian-admin fixed
<foo>". That, and most developer machines tende to have a half dozen
packages, at most, rather than 9000...
> > On the other hand, blowing away a machine without losing the *valuble* data
> > on it, then manually checking that data before it goes onto anything new,
> > along with a complete reinstall, can be a pretty non-trivial task, and one
> > that often requires console access - which, in itself, may be a non-trivial
> > task for a number of these machines.
>
> You don´t need to tell me that. I´m doing my work mainly remotely, sometimes
> with hundreds or thousands of km between the machine and me, including
> kernel updates and remote installations.
Then, if you'll pardon me, you appear to be being deliberately obtuse.
> > Why should it be easier to get the machines Ryan works with regularly
> > running again? Probably because he knows how to arrange any required
> > access, where there might be data that needs to be copied/inspected, what
> > that data might be, and what it SHOULD look like, along with probably
> > having installed the machines in question at least once, and thus being
> > familiar with any quirks they may have. Oh, and he can probably GET to
> > them, which may well be physically impossible for him with others.
>
> No, I doubt that Ryan travelled to Germany to get the buildds up again.
Probably not. Maybe he just happened to know where all the data was, pulled
it off, and got ahold of the remote admin who happened to have the time to
spare, right then.
Or maybe it's an evil conspiracy. No, you're right, it must be; there's no
other *possible* explanation...
> > Thus, he probably has little choice, in some cases, but to depend on others
> > to deal with some of hte work, and try to coordinate with them (some of
>
> Try to coordinate? When there would have been a try to cooperate by him, I
> wouldn´t complain... but I do complain.
Unless you are the local administrator of one of the build daemons, I
doubt you'd have seen any of his attempts at coordination. Even if you
are, it's quite possible that he simply hasn't gotton that far down the
list yet. (Though I'd consider it a more significant failure, given that
he presumably should be sending some form of "let me know when you can be
available if we need it" emails).
> > whom may be as much as 10 hours offset from him, which I can tell you
> > from experience coordinating things between the US and the "Far East",
> > is no small handicap). And, as has been pointed out to you, it has been
> > *one* business day since the 12th, assuming that message went out at the
> > beginning of the 12th and not the end.
>
> And as pointed out by me, It´s more than 1 business day.
Okay. So it's 3. That's still ludicrously good to have ANYTHING like the
amount of progress we've seen, given Debian's history. And, frankly, if
you've ever had to try to recover a compromised remote box which had stuff
on it that you couldn't just wipe out, I would expect you to have some
understanding of how good it is to manage to get as many buildds done as
quickly as has happened.
In other words, the only two explanations I can see are either that you
have no real concept of what you're discussing, or that you're being
deliberately obtuse about the lot of it.
Debian may have a lot of issues at times. I'd be one of the last to deny
it. But given what a good job HAS been done, this time, continuing to
complain while it's ongoing is likely to get you dumped into the bucket
of "some people will complain if it takes 10 minutes, instead of 5, when
it should take 5 days". You certainly haven't convinced me this complaint
deserves to be put anywhere else, yet.
--
Joel Baker <fenton@debian.org> ,''`.
Debian GNU/KLNetBSD(i386) porter : :' :
`. `'
`-
Attachment:
pgpiyyuAuLFjo.pgp
Description: PGP signature