Kernel.org Still Struggles To Return

[deanjo]

I don't think of deanjo as a zelot, which to me is someone who is a fanatic and I don't think he is, although he's certainly a bsd partisan.

The issue at hand has nothing to do with being a fan of OS A or OS B. BSD to me is just another OS, as is linux, windows, os x, OS/2, AIX etc etc etc. They all have their strengths and weaknesses and depending on the task that is required that is what I use. Am I a fan of GPL, propriatary licenses, or any other restrictive license, no I am not. This however has nothing to do with what again can only described as a poor readiness and an even poorer deployment and recovery strategy.

Ehh? Disaster? Development went on practically uninterrupted (I just built and installed the latest rc).

PR wise, yes it gives a lot of fodder for the competition.

Again deanjo is unpleasantly surprised over the fact that the slow return of kernel.org hasn't started a massive shitstorm.

I'm not surprised at all given that there is a double standard and that most of the media written about linux is by linux fans.

But the answer is obvious, not kernel.org nor the Linux Foundation webstite are in any way a vital part of Linux development, as proven by this situation.

Unless you are Valve, security breaches have very rarely stopped any development anywhere at anytime.

As for the breach itself, from what has surfaced someone with root access has had his account credentials compromised and that account has been used to deploy a rootkit which in turn has been fishing for other credentials. Obviously no security system can protect itself from a malicious user with proper credentials for a root account, so the real question is how the credentials were compromised in the first place and if security policies can be aended to prevent something like this from happening again.

And this is basic security 101. Make sure your people that have such access also are trust worthy and competent enough to not become the weak link in the armor. Again going back to comments made above how this outage wouldn't mean much to competent IT, well a competent IT could also have that breach locked up in a matter of hours as well have a contingency plan ready should a breach like this occurs.

I don't see how Linux has come out stronger from this,

Humility is a strong teacher.

nor can I see how it has come out weaker. It has perhaps highlighted the flexibility of it's development model (by simply moving the project temporarily to github) but I doubt that was news to anyone.

GIT is powerful that is for sure, as are many other version control systems however GIT does not represent the public face of Linux. If MS or Apple or Amazon or Google or any other organization is to be taken seriously they have to portray that readiness in a public fashion to avoid taking a hit in public opinion. Picture a person that is reading a HOWTO compile your own kernel for example for the first time. Many (if not all) refer to getting the kernel sources from kernel.org. So for a while they check to see if they can get the source and come up to "Down for maintenance". They check back a few hours, ok maybe a few days, but a freaking month?

I certainly think that there will be a focus on security procedures and a tightening of account privileges, but again I can't see how this has any measurable effect on 'Linux'.

Again by bad press. A headline like "Linux sites suffer 10+% downtime in 2011 due to security breach" certainly doesn't do them any favors nor does it instill great confidence in a product that is supposed to be better security wise then the competition. Pick up any IT trade magazine in the next month or so and I guarantee you that this is going featured within the first four pages. Who does it effect the least? The people that already have a long history with linux and understand the compromise. For every one else however it does send up warning flags upon first presentation. If they wish to completely revamp the entire site that is fine, but any competent admin would directly address the immediate threat, get them back up and running for the time being until it's replacement is ready to be put up in place. Most competent admins even run parallel systems for a while until the replacement is "proven" in the field for a while with the old system in place should problems arise.

[Wyatt]

Deanjo? You're going to have to explain yourself better or your points aren't even worth addressing. You posit that competence can somehow overcome the fundamental flaw of being human and then put forward the idea that a duct tape patch on the same infrastructure would be sufficient despite the vector of root escalation not being known (but not before you took a potshot at Linus by taking one quote out of the greater context of its discussion and the aftermath amounting to agreement and a good laugh).

You have a good point about them needing better disaster readiness, but that's ancillary to the question of response quality in reality. Your responses seem to indicate that "magic" is a valid hardening technique for systems. but I'd love to be proven wrong, and there's some way of thoroughly pessimising a system that doesn't involve know-how and experience, but I doubt it.

[XorEaxEax]

Again by bad press. A headline like "Linux sites suffer 10+% downtime in 2011 due to security breach" certainly doesn't do them any favors nor does it instill great confidence in a product that is supposed to be better security wise then the competition.

If this was the case then openbsd would be likely dead and buried by now given the accusations of crypto backdoors which made huge headlines around the tech world. However the industry is not ruled by 'headlines' and IT managers do know the difference between a breached webpage and the Linux kernel. But hey, we will get to see how this plays out, I don't share your notion that this will generate a ton of bad press concerning Linux, simply because Linux development has sailed through this situation. And the lack of 'noise' concerning the slow return of kernel.org agrees with me, despite your best efforts in this thread to make it out as a REALLY BAD THING for Linux. To me it sounds like wishful thinking on your part.

[adriankx]

Even the most lame site has a backup and a disaster recovery center! When a flagship site like kernel.org is down for +1 month its a big. Linus doest care about the bloat these days in linux kerne, doesnt care about recent kernel regresion and this way of thinking will continue to go on as long as big players still cash in their money! I think he`ll keep it down for 1 month or so since redhat novell ibm and others still pay him! This is not a security flaw its a dam embarasment , THE kernel hacker THE ONE got hacked. Cmon ! i onestly thought that that at least developers of kernel the best there can be in linux land, but guess we are wrong. I think its time for all of us search for trojans and rootkits in near future! If this happend now it will happen again! A message was just sent kernel.org can be easily hacked! Next thing u know will hear redhat.com down opensuse.org and novel down and now forget ubuntu! In the end security on linux its becoming more of a bluff the good side is that at least malware is kept away from linux ecosistems ... yet! Who know since opensource is based on a principle we offer u something free so if u dont like fix it urself or switch, i other words no one gives a fuck. I dont see linux get better as it was a few years a go. It goes backwards, kernel flaws , linux desktop gnome3 , unity inovation for the sake of inovation. Couse u see those little developers behind gnome thought: HMM everybody its getting used to our gnome our DE and linux , not good we arent a unique breed anymore lets mess all things up rearange them so that when a nuub sees that Mr. and Mrs. gnome3 developer doing something in that DE to think hmmm he must be smart to be able to use something in this crap interface. Good thing that after many years Kde is finaly becoming stable. and XFCE and LXDE all good because u still have a choice!

All some of us want its a little a bit security and stability. Try now praising the linux virtues to even a techie orientate windows lover and explain how kernel.org and linux.com down for more than a month!

[XorEaxEax]

I think he`ll keep it down for 1 month or so since redhat novell ibm and others still pay him! This is not a security flaw its a dam embarasment , THE kernel hacker THE ONE got hacked.

Jeez you retard troll, do you think Linus Torvalds was running kernel.org? Just how daft are you?

Next thing u know will hear redhat.com down opensuse.org and novel down and now forget ubuntu! In the end security on linux its becoming more of a bluff the good side is that at least malware is kept away from linux ecosistems

LOL, how about you read up on how the breach happened you moron (like IN THIS THREAD).

Not that I know why I'm responding to an obvious troll, probably because Valencia vs Chelsea is a pretty boring match atm.

[adriankx]

Who ever is responsible sucks at his job plain and simple!

[not.sure]

I respectfully disagree. If it is maintained as a "hobby" that is a problem and a serious one at that. Like it or not it does leave a bad impression to have associated "banner" web sites for your product to go down for extended periods of time especially when it served as a mirror for many distro's. Those sites were getting 100k plus hits a day all the way back in 1999 and has grown considerably since then.

I agree, it does leave a bad impression. And that it's taking that long is really not helping. But still, I don't think kernel.org has dedicated admins/webmasters. hpa sent the updates to lkml, and he's an intel(?) guy, so probably those folks at intel, red hat, ibm, etc are taking care of that part-time. (ok, they should have enough linux know-how to get it done in a timely manner, so yeah, not so good...)

[adriankx]

The title of the post is actually good. Linux land is a land of struggle. Struggle to become a viable desktop alternative and so on. It`s interesting tho progress is here, slowly but it is. Who know what future will bring in linux land in 4-5 year from now:P.