On Fri, Mar 01, 2002 at 11:25:15AM +0100, David N. Welton wrote: > I would like to know the opinions of the DPL candidates on > responsibility for Debian machines and services. > > As it stands now, we have outages, and no one seems to really have a > firm handle on the situation. For instance, master has been > unavailable for almost 48 hours, and the few people who have physical > access to it seem to be saying "sorry, don't have time". That is not > an ideal situation for Debian services. No, in fact I'd venture to say it's unacceptable. > Maybe I'm blowing this out of proportion, but I would at least like > some more accountability in this process. I don't like it that > something I depend on for my free software related mail, for example, > goes down, and, at least in the channels I still have available (IRC, > web) there is no information about 1) whether it's being fixed 2) when > it will be fixed by, or much of anything else. > > Adam Heath says: > > On Thu, 28 Feb 2002, Julian Gilbey wrote: > > > Anyone know what's up with master? > > There was an incident on some criticial brainfood machines, so > ssh access has been blocked. This is all I can say on the > matter at this time. > > Please keep in mind that I'm not ragging on the brainfood guys - what > I want to know is how you, as DPL, would manage this situation, > balancing the needs of the developers, the fact that you have to work > through volunteers, and so on... If I were DPL, I'd have been on the phone to brainfood within minutes of hearing that there was a possible incident. Hopefully Brainfood has been in touch with Ben to apprise him of the situation. I can understand Brainfood's unwillingness to speculate to the entire developer community about what's going on, especially given the possibility that the security incident could have been caused by a Debian developer. At least for the first several hours following the port lockdown, I'd say it's reasonable to guess that Brainfood didn't have a complete picture of the compromise yet. It can take quite a bit of time to diagnose these things. But the DPL -- at the very least -- should be in the loop. Sponsoring sites provide resources of tremendous value to Debian, but it is unacceptable for a vendor to unilaterally terminate services for an indefinite period without adequate explanation. Hopefully, Ben is in the loop on this issue and it's being handled in a way that I'd be comfortable with were I in his shoes. As far as the volunteer nature of our Project goes, I'd say that simply means that people and organizations who are part of -- or affiliated with -- the Debian Project need to be cognizant of their resposibilities. Part of my platform talked about this with respect to individual developers, but it holds true generally. Volunteering for Debian means a lot of things; one thing it means is acceptance of responsibility. Just as we expect package maintainers to keep their packages up-to-date, policy-compliant, and bug-free (as much as possible), we expect the providers of colocation facilities and our volunteer sysadmins to be able to fulfill their responsibilities as well. I suspect that what's going on with the instant situation is not a shirking of responsibility, or any deliberate or willful misconduct on the part of anyone affiliated with our Project. I think what we're seeing is a simple lack of process and procedure. The fact that our developers are apprehensive indicates to me that we need to think about getting some processes and procedures in place. Perhaps the DMUP could be revised to establish acceptable standards of behavior and incident response procedures that are binding upon the sponsors and DSA team as well as our developers. After all, problems can originate from anywhere, not just from plebe developers who get a spanking from DSA every now and then. A status report containing as much information as possible should be posted to debian-private by the DPL or DPL delegate within 24 hours of any incident like the one that has happened to us this week. Is anyone willing to share some information with the developer community on this most recent incident? -- G. Branden Robinson | Mob rule isn't any prettier just Debian GNU/Linux | because you call your mob a branden@debian.org | government. http://people.debian.org/~branden/ |
Attachment:
pgpyXl67nFiVN.pgp
Description: PGP signature