Re: debian services and responsibility
> If I were DPL, I'd have been on the phone to brainfood within minutes of
> hearing that there was a possible incident.
> Hopefully Brainfood has been in touch with Ben to apprise him of the
> situation. I can understand Brainfood's unwillingness to speculate to
> the entire developer community about what's going on, especially given
> the possibility that the security incident could have been caused by a
> Debian developer. At least for the first several hours following the
> port lockdown, I'd say it's reasonable to guess that Brainfood didn't
> have a complete picture of the compromise yet. It can take quite a bit
> of time to diagnose these things.
> But the DPL -- at the very least -- should be in the loop. Sponsoring
> sites provide resources of tremendous value to Debian, but it is
> unacceptable for a vendor to unilaterally terminate services for an
> indefinite period without adequate explanation. Hopefully, Ben is in
> the loop on this issue and it's being handled in a way that I'd be
> comfortable with were I in his shoes.
Brainfood has not been in touch with me. I would hope that they have
been in touch with Debian Admins to a more detailed extent (even if they
talk to me, I can't do anything but relay to debian-admin anyway).
/ Ben Collins -- Debian GNU/Linux -- WatchGuard.com \
` firstname.lastname@example.org -- Ben.Collins@watchguard.com '