[Savannah-hackers] Savannah situation

[Bradley M. Kuhn]

Dear Savannah Hackers,

I understand that everyone is currently very upset about the existing
situation, and I hope that we can move toward a more friendly and
cooperative conversation about the situation.

First, I am very sorry that FSF staff did not include the savannah hackers
more collaboratively in the recovery process.  A root compromise to a
system that is trusted with the integrity of the source code of important
Free Software projects -- be they GNU or not -- is a cause for serious
concern, attention, redesign and investigation.  We were wrong to not
collaborate actively with you -- those who knew the system best -- as we
tried to set up a secure solution in its place.

We are very appreciate of your work, and are very sorry for frustrations
that you currently feel or have felt regarding responsiveness from the FSF
system staff.  We want to correct that problem immediately, and begin a
collaborative process to assist in the management of Savannah.  The
Savannah system is a top priority for FSF, and we are charged with the
task of ensuring the integrity of the source code that is hosted on our
machines.  We cannot ensure that integrity without you leading the way;
you know the Savannah source best and can show us where our efforts can
best be spent.

It seems that the arguments we are having are not on a technical front,
but primarily because of frayed tempers that have been fed by many months
of miscommunication that began even before the machine was cracked.  I
want to find a way that we can build better communication between the
Savannah hackers and the FSF staff, so that when we roll our a more
secured Savannah later this week, you can lead the way as we work
collaboratively to provide the services.

On one specific note, we certainly should have given you immediate access
back to the system once it was brought online, and we erred by not doing
so.  Please get in touch with Paul right away with a trusted SSHv2 key,
and he will get all root access restored.

Last week, we were focused primarily on the audit of the software hosted
on savannah and looking for possible security problems; not in getting the
system running again specifically.  I am certainly frustrated by the
downtime too, but I believe, and I hope you will agree, that getting a
secured infrastructure that is substantially less vulnerable to cracker
attacks must be a priority.

I have instructed the FSF system staff -- which is now comprised of Paul
Fisher <address@hidden> and Jim Blair <address@hidden> -- to allow savannah
hackers to lead the way regarding matters of savannah management.
Obviously, there will be technical disagreements, but for the sake of the
users who rely on this system and its secured integrity, we must strive to
work together and rely on each others' respective talents to make a
working system.  I don't think anyone disputes that system security and
integrity needs to be a focus now.  Having been through these types of
security compromises and system hardening before, our sysadmins have a
contribution to make.  I hope you will accept their contribution and work
with them.

I am happy to see that Vincent, Paul, and Jim are at this very hour
working together in a friendly way to bring Savannah back online in a
secured but fully functional way.  I hope that others will join this
collaboration.  We all have the same goal here, and I hope that we can put
rancor aside and work together.

Please let me know, via email or telephone, if there is anything I can do
to help the situation and communication get better.  You are also always
welcome to phone as well as email Paul and Jim if there is any confusion
or miscommunication that needs to be cleared up.


I hope we can work past this and get Savannah running smoothly again.

--
Bradley M. Kuhn, Executive Director
Free Software Foundation   |  Phone: +1-617-542-5942
59 Temple Place, Suite 330 |  Learn more about FSF and how you can help:
Boston, MA 02111-1307  USA |  http://svcs.affero.net/rm.php?r=bkuhn&p=FSF

pgp7fF2283Zsc.pgp
Description: PGP signature