[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More hacked servers?

First of all, there's no need to be defensive.  I'm on your side!  I
certainly didn't mean to suggest that anything would be hidden - why would
it?  I only meant to suggest that the details of this incident (once they
are all known) need to be made very public rather than being buried in a
mailing list where only us geeks will see it.  In fact, it needs to be even
more public than the report of the break in was.  Why?  Because the last
news Joe Necktie heard about Debian is that it got hacked.  Now I know
Debian doesn't own the media, but as Debian users, I think we can all help
by pointing out the explanation, once it's given, to every geek news site we
can find.

Another poster asked why my confidence was shaken.  It's shaken because I
guess I thought of kernel.org and debian.org to be among the last places
anyone would ever successfully break into, even if that is a tad naive.
Linus I think did a fairly decent job of explaining why the kernel.org break
in didn't hurt anything, and I believe him, but personally I'd prefer more
detail.  Debian has said that nothing was damaged here either, and I believe
them too, but that's not the question.  The question is, does Joe Necktie
believe them?  I think what would really be reassuring would be a nice
report, or audit, or something describing how security works, and have that
be a very prominent feature of every open source site.  The more people that
put their faith in open source software, the more people are going to want
to understand how open source sites make sure that open source code is
protected from damage.


----- Original Message ----- 
From: "Michael Stone" <mstone@debian.org>
To: "Jim Hubbard" <jimh@xlproject.com>
Cc: <debian-security@lists.debian.org>
Sent: Tuesday, November 25, 2003 9:01 AM
Subject: Re: More hacked servers?

> On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
> >After the Linux kernel server got hacked a few weeks ago, and now this
> >successful attack at Debian, my confidence is shaken.  I hope we'll see
> >disclosure about exactly what happened and what's being done to prevent
> We were up-front in reporting the problem, so why would you suggest we
> would hide things later?
> Mike Stone

Reply to: