[Savannah-hackers] Re: Savannah situation

[Mathieu Roy]

"Bradley M. Kuhn" <address@hidden> said:

> Dear Savannah Hackers,

Hello,

> I understand that everyone is currently very upset about the existing
> situation, and I hope that we can move toward a more friendly and
> cooperative conversation about the situation.
>
> First, I am very sorry that FSF staff did not include the savannah hackers
> more collaboratively in the recovery process.  A root compromise to a
> system that is trusted with the integrity of the source code of important
> Free Software projects -- be they GNU or not -- is a cause for serious
> concern, attention, redesign and investigation.  We were wrong to not
> collaborate actively with you -- those who knew the system best -- as we
> tried to set up a secure solution in its place.
>
> We are very appreciate of your work, and are very sorry for frustrations
> that you currently feel or have felt regarding responsiveness from the FSF
> system staff.  We want to correct that problem immediately, and begin a
> collaborative process to assist in the management of Savannah.  The
> Savannah system is a top priority for FSF, and we are charged with the
> task of ensuring the integrity of the source code that is hosted on our
> machines.  We cannot ensure that integrity without you leading the way;
> you know the Savannah source best and can show us where our efforts can
> best be spent.
>
> It seems that the arguments we are having are not on a technical front,
> but primarily because of frayed tempers that have been fed by many months
> of miscommunication that began even before the machine was cracked.  I
> want to find a way that we can build better communication between the
> Savannah hackers and the FSF staff, so that when we roll our a more
> secured Savannah later this week, you can lead the way as we work
> collaboratively to provide the services.
>
> On one specific note, we certainly should have given you immediate access
> back to the system once it was brought online, and we erred by not doing
> so.  Please get in touch with Paul right away with a trusted SSHv2 key,
> and he will get all root access restored.

On one specific note, you certainly should have told us that you we're
not reinstalling the system but changing the system.

> Last week, we were focused primarily on the audit of the software hosted
> on savannah and looking for possible security problems; not in getting the
> system running again specifically.  I am certainly frustrated by the
> downtime too, but I believe, and I hope you will agree, that getting a
> secured infrastructure that is substantially less vulnerable to cracker
> attacks must be a priority.

I think that is a big mistake. 3 majors security holes has been found
in software we used until then, so I it's not a big surprise that the
machine got cracked. However, it was possible to restart minimal and
essential services (for instance, CVS commits via SSH, web interface)
and improving the security while running, by only deactivating tools
like rsync/sftp/anoncvs/kerberos until a heavy check is made on it. 

That was what debian did. packages.debian.org is still unavailable
(not a big deal) but security.debian.org was up 2 or 3 days after the 
compromised. That was the way to go, that what I would have said if
you had asked us what we think.

But you made a different decision. That's not the real problem: you
have the right to make what I consider to be mistake. But, clearly,
making this kind of decision without discussion, just keeping us
waiting without knowing what was going on, is clearly the major
mistake.


> I have instructed the FSF system staff -- which is now comprised of Paul
> Fisher <address@hidden> and Jim Blair <address@hidden> -- to allow savannah
> hackers to lead the way regarding matters of savannah management.
> Obviously, there will be technical disagreements, but for the sake of the
> users who rely on this system and its secured integrity, we must strive to
> work together and rely on each others' respective talents to make a
> working system.  I don't think anyone disputes that system security and
> integrity needs to be a focus now.  Having been through these types of
> security compromises and system hardening before, our sysadmins have a
> contribution to make.  I hope you will accept their contribution and work
> with them.
>
> I am happy to see that Vincent, Paul, and Jim are at this very hour
> working together in a friendly way to bring Savannah back online in a
> secured but fully functional way.  I hope that others will join this
> collaboration.  We all have the same goal here, and I hope that we can put
> rancor aside and work together.

I do not get exactly what help you would need. Installing apache,
mysql etc is pretty trivial. Securing these tools take some time but
cannot be done by 5 persons at the same time.

I think you have now to finish what you started. If you need specific
information from me, I can provide it, you can send a mail. But I have
no time to hang around on IRC. And anyway, I'll be unavailable from
the 21th to the 27th.

> Please let me know, via email or telephone, if there is anything I can do
> to help the situation and communication get better.  You are also always
> welcome to phone as well as email Paul and Jim if there is any confusion
> or miscommunication that needs to be cleared up.

Until now, I did not seen any plan, any schedule. Are there no plan and
no schedule for restarting the system? Didn't you at first wrote down
what really need to be done before making the system available to the
public, what could be done later? What is the roadmap? What is the
status of the changes?

 

-- 
Mathieu Roy

  +---------------------------------------------------------------------+
  | General Homepage:           http://yeupou.coleumes.org/             |
  | Computing Homepage:         http://alberich.coleumes.org/           |
  | Not a native english speaker:                                       |
  |     http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |
  +---------------------------------------------------------------------+