[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian services and responsibility



On Fri, Mar 01, 2002 at 11:25:15AM +0100, David N. Welton wrote:
> I would like to know the opinions of the DPL candidates on
> responsibility for Debian machines and services.
> 
> As it stands now, we have outages, and no one seems to really have a
> firm handle on the situation.  For instance, master has been
> unavailable for almost 48 hours, and the few people who have physical
> access to it seem to be saying "sorry, don't have time".  That is not
> an ideal situation for Debian services.

No, in fact I'd venture to say it's unacceptable.

> Maybe I'm blowing this out of proportion, but I would at least like
> some more accountability in this process.  I don't like it that
> something I depend on for my free software related mail, for example,
> goes down, and, at least in the channels I still have available (IRC,
> web) there is no information about 1) whether it's being fixed 2) when
> it will be fixed by, or much of anything else.
> 
>         Adam Heath says:
> 
>         On Thu, 28 Feb 2002, Julian Gilbey wrote:
> 
>         > Anyone know what's up with master?
> 
>         There was an incident on some criticial brainfood machines, so
>         ssh access has been blocked.  This is all I can say on the
>         matter at this time.
> 
> Please keep in mind that I'm not ragging on the brainfood guys - what
> I want to know is how you, as DPL, would manage this situation,
> balancing the needs of the developers, the fact that you have to work
> through volunteers, and so on...

If I were DPL, I'd have been on the phone to brainfood within minutes of
hearing that there was a possible incident.

Hopefully Brainfood has been in touch with Ben to apprise him of the
situation.  I can understand Brainfood's unwillingness to speculate to
the entire developer community about what's going on, especially given
the possibility that the security incident could have been caused by a
Debian developer.  At least for the first several hours following the
port lockdown, I'd say it's reasonable to guess that Brainfood didn't
have a complete picture of the compromise yet.  It can take quite a bit
of time to diagnose these things.

But the DPL -- at the very least -- should be in the loop.  Sponsoring
sites provide resources of tremendous value to Debian, but it is
unacceptable for a vendor to unilaterally terminate services for an
indefinite period without adequate explanation.  Hopefully, Ben is in
the loop on this issue and it's being handled in a way that I'd be
comfortable with were I in his shoes.

As far as the volunteer nature of our Project goes, I'd say that simply
means that people and organizations who are part of -- or affiliated
with -- the Debian Project need to be cognizant of their
resposibilities.  Part of my platform talked about this with respect to
individual developers, but it holds true generally.  Volunteering for
Debian means a lot of things; one thing it means is acceptance of
responsibility.  Just as we expect package maintainers to keep their
packages up-to-date, policy-compliant, and bug-free (as much as
possible), we expect the providers of colocation facilities and our
volunteer sysadmins to be able to fulfill their responsibilities as
well.

I suspect that what's going on with the instant situation is not a
shirking of responsibility, or any deliberate or willful misconduct on
the part of anyone affiliated with our Project.  I think what we're
seeing is a simple lack of process and procedure.  The fact that our
developers are apprehensive indicates to me that we need to think about
getting some processes and procedures in place.

Perhaps the DMUP could be revised to establish acceptable standards of
behavior and incident response procedures that are binding upon the
sponsors and DSA team as well as our developers.  After all, problems
can originate from anywhere, not just from plebe developers who get a
spanking from DSA every now and then.

A status report containing as much information as possible should be
posted to debian-private by the DPL or DPL delegate within 24 hours of
any incident like the one that has happened to us this week.

Is anyone willing to share some information with the developer
community on this most recent incident?

-- 
G. Branden Robinson                |      Mob rule isn't any prettier just
Debian GNU/Linux                   |      because you call your mob a
branden@debian.org                 |      government.
http://people.debian.org/~branden/ |

Attachment: pgpabgeWMPgdC.pgp
Description: PGP signature


Reply to: