From Fedora Project Wiki
Fedora Project Board Meeting :: Tuesday 2008-09-09
Roll Call
Attendees: Everyone on #fedora-board-meeting
Discussion Summary
coming shortly
IRC Transcript
- Raw discussion is here
| stickster | <meeting> | 09 Sep 14:02 |
|---|---|---|
| spoleeba | here | 09 Sep 14:02 |
| stickster | The Secretary should be arriving in a moment :-) | 09 Sep 14:03 |
| --- ChanServ (ChanServ@services.) changed mode: +v poelcat | 09 Sep 14:03 | |
| spoleeba | stickster, stalin? | 09 Sep 14:03 |
| quaid | hey kids | 09 Sep 14:03 |
| stickster | Hi everybody. Max is moderating in #fedora-board-public, and I think we have a couple short agenda items to get out of the way | 09 Sep 14:04 |
| * stickster gives mic to poelcat | 09 Sep 14:04 | |
| poelcat | first followup item is: https://fedoraproject.org/wiki/Board/Meetings/2008-08-05#Codecs_.282008-05-13.29 | 09 Sep 14:05 |
| --- ChanServ (ChanServ@services.) changed mode: +v mdomsch | 09 Sep 14:05 | |
| poelcat | fesco meets tomorrow so if a feature page is coming it needs to be submitted ASAP | 09 Sep 14:05 |
| mdomsch | everyone see http://itmanagement.earthweb.com/osrc/article.php/3770216/The+Fedora-Red+Hat+Crisis.htm | 09 Sep 14:06 |
| mdomsch | ? | 09 Sep 14:06 |
| mdomsch | that's why I love transparency and meeting minutes | 09 Sep 14:06 |
| skvidal | mdomsch: yah - I read it | 09 Sep 14:06 |
| quaid | OMGCRISIS! | 09 Sep 14:06 |
| spot | does the Flash have to die this time? | 09 Sep 14:06 |
| stickster | poelcat: I've pinged the RPM dev team again about that feature page. | 09 Sep 14:07 |
| --- ChanServ (ChanServ@services.) changed mode: +v f13 | 09 Sep 14:07 | |
| f13 | sorry I'm late, turns out 'cheese' will crash your system if you try to take a video. | 09 Sep 14:07 |
| stickster | poelcat: At worst, this may fit into the overall 'new RPM 4.6' feature category | 09 Sep 14:07 |
| stickster | And we could call out specfic new RPM features as desired | 09 Sep 14:07 |
| spoleeba | f13, oh thats a new feature | 09 Sep 14:08 |
| stickster | Maybe we should call that one out too? | 09 Sep 14:08 |
| spoleeba | mdomsch, do i really have to read it? | 09 Sep 14:08 |
| mdomsch | spoleeba, you can surmise from the title | 09 Sep 14:08 |
| stickster | poelcat: I believe that Panu's on travel today but I've also emailed jnovy and ffesti | 09 Sep 14:09 |
| stickster | Panu's said that he will have this in by the final dev freeze. | 09 Sep 14:09 |
| spoleeba | mdomsch, i do love how he surmizes how i feel about the situation as a Board member | 09 Sep 14:09 |
| * stickster not ignoring the conversation thread on the Byfield article, just trying to get through the agenda | 09 Sep 14:10 | |
| poelcat | anything else to note on the "codecs" topic? | 09 Sep 14:10 |
| mdomsch | stickster, agenda++ | 09 Sep 14:10 |
| quaid | mdomsch: your fault! :D | 09 Sep 14:11 |
| stickster | Oh, hang on -- | 09 Sep 14:11 |
| f13 | 'by the final dev freeze' seems rather late if we need to do something on top of this feature in other packages. | 09 Sep 14:11 |
| stickster | Yeah, that's why I've sent a couple emails about it. | 09 Sep 14:12 |
| stickster | The most recent one was yesterday. | 09 Sep 14:12 |
| stickster | I checked the RPM git repos and didn't see the proposed patch in there. | 09 Sep 14:12 |
| f13 | hrm. | 09 Sep 14:14 |
| spot | do we need to say anything else about this or can we move on? | 09 Sep 14:15 |
| stickster | I invited jnovy to talk about it, but let's move on for now. | 09 Sep 14:15 |
| stickster | poelcat: next | 09 Sep 14:15 |
| poelcat | prograess on update to trademark usage guidelines | 09 Sep 14:16 |
| stickster | Ah | 09 Sep 14:16 |
| stickster | https://fedoraproject.org/wiki/User:Pfrields/NewTrademarkGuidelines | 09 Sep 14:16 |
| stickster | I've been actively working on them, through last week and up until yesterday | 09 Sep 14:16 |
| stickster | RH Legal is reviewing them, and the newest state of that page incorporates their most recent review. | 09 Sep 14:16 |
| stickster | So, progressing. | 09 Sep 14:16 |
| poelcat | ref: https://fedoraproject.org/wiki/Board/Meetings/2008-08-05#Trademark_Guidelines_.282008-07-01.29 | 09 Sep 14:17 |
| stickster | I'd really like to have that wrapped up by the end of the month if at all possible. | 09 Sep 14:17 |
| stickster | (preferably sooner) | 09 Sep 14:17 |
| spoleeba | stickster, uhm... there needs to be a decision about whether trademark usage is going to require technical specifics | 09 Sep 14:17 |
| mdomsch | stickster, "not disparaging to Red Hat or the Fedora Project" | 09 Sep 14:18 |
| mdomsch | to what extent? | 09 Sep 14:18 |
| mdomsch | presumably the board would have to enforce | 09 Sep 14:18 |
| stickster | spoleeba: we can add a statement that says usage is pursuant to separate technical requirements | 09 Sep 14:18 |
| mdomsch | 09 Sep 14:19 | |
| * mdomsch is not in favor of requiring selinux | 09 Sep 14:19 | |
| stickster | spoleeba: Please use the "discussion" tab and enter your comments there | 09 Sep 14:19 |
| spoleeba | stickster, i dont have a problem with it as it stands..... there are others | 09 Sep 14:19 |
| ctyler | stickster: I have at least one more use case for you, too | 09 Sep 14:19 |
| stickster | spoleeba: They're free to do the same :-) | 09 Sep 14:19 |
| stickster | spoleeba: I've invited the community repeatedly to help with use cases, etc. | 09 Sep 14:20 |
| spoleeba | stickster, here's my point.. i dont think we can "wrap this up in a month" considering what we just had a discussion in fab | 09 Sep 14:20 |
| stickster | Many have already, including Jeroen, BKearney, Max, others... | 09 Sep 14:20 |
| * stickster continues to happily accept more input | 09 Sep 14:20 | |
| mdomsch | EOM is a decent goal though | 09 Sep 14:21 |
| quaid | +1 to pursuant to other technical requirements | 09 Sep 14:21 |
| quaid | then we can update that list on going without jiggling the trademark rules with details it don't need | 09 Sep 14:22 |
| stickster | quaid: Right. | 09 Sep 14:22 |
| stickster | Legal documents and technical requirements are two different kettles of fish. | 09 Sep 14:22 |
| quaid | thus, eomonth can work | 09 Sep 14:22 |
| stickster | buckets of meat? | 09 Sep 14:22 |
| quaid | eww^2 | 09 Sep 14:22 |
| stickster | baskets of asparagus | 09 Sep 14:23 |
| f13 | mdomsch: I'm also not really in favor of seeing something out there under the Fedora name that /doesn't/ ship with selinux | 09 Sep 14:23 |
| spoleeba | stickster, we must decide if the Board is going to continue to be one of the groups who gets to decide on technical requirements or not | 09 Sep 14:23 |
| stickster | (for the veggiesauri) | 09 Sep 14:23 |
| spot | i think i dated that once in college. | 09 Sep 14:23 |
| f13 | mdomsch: under the full Fedora name, not a 'based on Fedora' or 'built on Fedora' name | 09 Sep 14:23 |
| quaid | at least Kettle of Fish was a decent dive bar in Greenwich Village | 09 Sep 14:23 |
| f13 | 09 Sep 14:23 | |
| * f13 loads the wiki page to comment | 09 Sep 14:23 | |
| quaid | +1 to continuing the SELinux et al discussion on f-a-b, as part of the technical kettle | 09 Sep 14:23 |
| spoleeba | stickster, i have no problem with a moving target for technical requirements..but as the trademark policy stands as drafted the Board isnt going to be building those roadblocks | 09 Sep 14:24 |
| spoleeba | stickster, and if the Board shouldnt be doing it..then we should firmly state who should be doing it | 09 Sep 14:24 |
| spot | 09 Sep 14:24 | |
| * spot coughs *rel-eng* | 09 Sep 14:24 | |
| quaid | spoleeba: explain "isn't going" | 09 Sep 14:24 |
| spot | sorry. something stuck in my throat. | 09 Sep 14:24 |
| stickster | spoleeba: The page indicates that the trademark owner always retains rights to the TMs, and the Board is always responsible for enforcing compliance. | 09 Sep 14:25 |
| f13 | erm, I thought the point of the new policy was that /nobody/ had to review it, there was no blocker | 09 Sep 14:25 |
| spoleeba | stickster, enforcing compliance.. and defining the technical hurdles are not the same | 09 Sep 14:25 |
| stickster | RelEng has the Spins group tapped to create the technical requirements | 09 Sep 14:25 |
| spoleeba | f13, that was what i thought as well | 09 Sep 14:25 |
| stickster | f13: Correct? | 09 Sep 14:25 |
| f13 | stickster: those are for things that Fedora as a project puts out for users to consume | 09 Sep 14:26 |
| mdomsch | as long as usage is within the policy, yes, no apriori review | 09 Sep 14:26 |
| f13 | stickster: but I thought under the new guidelines, anybody could make whatever they want, as long as it adheres to the guidelines and publish it as "Fedora" | 09 Sep 14:26 |
| f13 | ergo there is no chance for somebody like releng to vette it for technical items | 09 Sep 14:26 |
| notting | well, was aos being reviewed under the new or old guidelines? | 09 Sep 14:26 |
| f13 | therefor, we need to codify technical restrictions into the policy | 09 Sep 14:27 |
| spoleeba | mdomsch, the question becomes which group is tasked with coming up with the moving target policy | 09 Sep 14:27 |
| notting | i don't recall saying one way or another that they can't be Fedora if they turned off selinux. i was just curious *why* they were doing it | 09 Sep 14:27 |
| spot | notting: you should talk to bryan_kearney1 | 09 Sep 14:28 |
| notting | spot: i was the first post on the thread | 09 Sep 14:28 |
| mdomsch | notting, f13 would like to say "if they turn of selinux, it's not Fedora". I'm not of the same opinion. :-) | 09 Sep 14:28 |
| quaid | f13: why codify in to the policy? the policy can just state, "follow this moving target over here or don't use the mark" | 09 Sep 14:28 |
| f13 | mdomsch: to be the top tier trademark, "Fedora", I feel that there should be a bare minimum it meets | 09 Sep 14:28 |
| f13 | yum, selinux, etc.. | 09 Sep 14:29 |
| ctyler | f13: that minimum should be coded somewhere else and the policy should point to it | 09 Sep 14:29 |
| f13 | anything less than that falls to the next tier, Based on Fedora or whatever | 09 Sep 14:29 |
| ctyler | so the policy doesn't change when the tech does | 09 Sep 14:29 |
| f13 | ctyler: that's acceptable | 09 Sep 14:29 |
| f13 | it still has the same net effect though | 09 Sep 14:29 |
| spoleeba | quaid, I really would like to avoid having the Board be the group which codifies the moving policy... id rather have the Board just enforce it or arbitrate when the group who does deal with the policy gets deadlocked | 09 Sep 14:29 |
| f13 | policy will change over time | 09 Sep 14:29 |
| stickster | OK, so far I see a lot of us in essentially violent agreement. | 09 Sep 14:30 |
| quaid | spoleeba: the Board cannot absolve itself of the responsibility, it can assign it to other people, and I think that chain has clearly been established! | 09 Sep 14:31 |
| quaid | Board asked Releng, which has asked Spins, right? | 09 Sep 14:31 |
| stickster | At least as far as decoupling and linking the technical requirements for TM usage. | 09 Sep 14:31 |
| quaid | yes | 09 Sep 14:31 |
| spoleeba | quaid, the fab discussion would suggest...otherwise | 09 Sep 14:31 |
| quaid | spoleeba: don't do that | 09 Sep 14:32 |
| quaid | spoleeba: just because one is on the Board doesn't mean you cannot be involved in the assigned task | 09 Sep 14:32 |
| quaid | spoleeba: you saw people speaking as individuals | 09 Sep 14:32 |
| spoleeba | quaid, but not in the context of the spins sig's communication channel | 09 Sep 14:32 |
| quaid | for example, I am a bit of an SELinux historian and feel strongly about it, so I spoke up | 09 Sep 14:32 |
| spoleeba | quaid, my point is... the selinux came up..as part of the Board's step in the process... | 09 Sep 14:32 |
| f13 | guys | 09 Sep 14:33 |
| quaid | simply because it hasn't been codified | 09 Sep 14:33 |
| quaid | by anyone yet | 09 Sep 14:33 |
| f13 | we're talking about multiple things here | 09 Sep 14:33 |
| spot | perhaps we should ask the Spins group to provide a list of "suggested minimum technical requirements" for a spin. | 09 Sep 14:33 |
| f13 | there are the things that Fedora produces itself, which we have a clear path of review for | 09 Sep 14:33 |
| spot | then we can argue about that ad infinitum | 09 Sep 14:33 |
| f13 | then there are the things that individuals would be producing, under the name of Fedora | 09 Sep 14:33 |
| f13 | where there is 0 review path, and 0 proposed review path | 09 Sep 14:33 |
| spoleeba | quaid, are we always going to see that happen? new policy will come up at the Board step..and then have to be pushed back to the Spin SIG to deal with? | 09 Sep 14:33 |
| f13 | my only issue is with the latter, not the former. | 09 Sep 14:33 |
| f13 | spoleeba: my issue doesn't really involve the spin sig | 09 Sep 14:34 |
| quaid | spoleeba: Spins/Releng needs to show the technical list early enough to the Board to get input, that's all | 09 Sep 14:34 |
| f13 | because my issue is with the folks that will be producing content outside the spins process | 09 Sep 14:34 |
| quaid | f13: yes, and that discussion belongs in a thread about what technical requirements we get from Spins/releng; so you can make sure SELinux is on that list with your releng hat, and we can debate in our final vetting at the Board side. | 09 Sep 14:35 |
| quaid | spot: +1 to asking Spins (+ releng) to come up with the initial technical list | 09 Sep 14:35 |
| quaid | and yes I think it does need Board vetting. | 09 Sep 14:35 |
| quaid | otherwise we are passing on accountability that we cannot pass on! | 09 Sep 14:35 |
| f13 | agreed | 09 Sep 14:35 |
| ctyler | +1 | 09 Sep 14:36 |
| spot | +1 from me (obviously) | 09 Sep 14:36 |
| skvidal | +1 | 09 Sep 14:36 |
| notting | +1 | 09 Sep 14:36 |
| mdomsch | +1 | 09 Sep 14:37 |
| stickster | f13: Can you own the task of starting and collecting that discussion? | 09 Sep 14:37 |
| stickster | we really need to get to the Q&A, guys. | 09 Sep 14:38 |
| f13 | stickster: yeah, I'll take it. add it to the ever growing list of doom. | 09 Sep 14:38 |
| spot | the answer to all of the pending questions is: thinly sliced lunch meat | 09 Sep 14:39 |
| stickster | OK, anything more on this? Let's move on if not | 09 Sep 14:39 |
| f13 | damnit, now i'm hungry | 09 Sep 14:39 |
| poelcat | 09 Sep 14:39 | |
| * poelcat notes that wraps up previous business | 09 Sep 14:39 | |
| poelcat | back to you stickster | 09 Sep 14:39 |
| stickster | Q&A time | 09 Sep 14:39 |
| stickster | spevack: Go! | 09 Sep 14:39 |
| stickster | :-) | 09 Sep 14:40 |
| spevack | ok. | 09 Sep 14:40 |
| spevack | we have a number of questions. | 09 Sep 14:40 |
| spevack | there are a few about the infrastructure stuff. | 09 Sep 14:40 |
| spevack | so give me a moment to paste them all in, and then you can sort of answer from different bits | 09 Sep 14:40 |
| spevack | since there will be some overlap | 09 Sep 14:40 |
| spevack | the first was from vallor: | 09 Sep 14:40 |
| spevack | "I'm sure one of the questions on everybody's mind is the status of "Infrastructure" -- and are the rumors true that the bogusly-signed openssh packages were trojaned? (Max edit: we asked for some clarification and the response follows) I'm referring to anything and everything in the incident where systems were compromised -- and if that flows slightly into RHEL space, I think it is only prudent to explain that part of the incident, too." | 09 Sep 14:40 |
| spevack | 09 Sep 14:41 | |
| spevack | the second from lwnjake and nirik: | 09 Sep 14:41 |
| spevack | "also, when might we find out more about exactly what happened to the infrastructure?" | 09 Sep 14:41 |
| spevack | 09 Sep 14:41 | |
| spevack | and the third from rdieter: | 09 Sep 14:41 |
| spevack | "another hard ball, why wasn't the board informed of anything? (afaik, they're as much uninformed as anyone). or so says mr. spoleeba" | 09 Sep 14:41 |
| spevack | 09 Sep 14:41 | |
| spevack | that's all the infrastructure questions we have right now. | 09 Sep 14:41 |
| f13 | I can take the last one | 09 Sep 14:41 |
| spevack | there's two others on different topics | 09 Sep 14:41 |
| spevack | 09 Sep 14:41 | |
| * spevack goes silent | 09 Sep 14:41 | |
| f13 | A few board members became aware of what was going on, due to other roles played by those board members. | 09 Sep 14:41 |
| f13 | Some of these people were Red Hat employees, others were under a Red Hat NDA for various other reasons. | 09 Sep 14:42 |
| stickster | The Board has no NDAs with Red Hat. | 09 Sep 14:42 |
| stickster | Sorry, the people on the Board who are volunteers -- | 09 Sep 14:42 |
| stickster | and have no prior formal relationship with Red Hat -- | 09 Sep 14:42 |
| stickster | don't have any NDA. | 09 Sep 14:43 |
| quaid | ! | 09 Sep 14:43 |
| f13 | when it became apparent that the breakin effected Red Hat itself, and not just Fedora infrastructure, Red Hat asked for no further discussion with anybody else, unless it was approved by the people workign the issue | 09 Sep 14:43 |
| skvidal | stickster: not the ndas would have helped in terms of disclosure... | 09 Sep 14:43 |
| f13 | my assumption was because we at that time had no idea who had broken in and did not want to divulge any information that would leak to the wrong ears. | 09 Sep 14:43 |
| quaid | f13: not only fair but smart assumption | 09 Sep 14:44 |
| f13 | for better or worse, I and the other board members who were "in the know" followed that request and did not further inform any other board members | 09 Sep 14:44 |
| f13 | people were brought into "the know" based on what we needed from them on individual issues | 09 Sep 14:44 |
| spoleeba | so how do i feel about that..as being a non-NDA'd Board member... | 09 Sep 14:44 |
| mdomsch | and even then, the extent of "in the know" varied person-to-person by their duties | 09 Sep 14:44 |
| stickster | As is true of all security investigations, progress reports are somewhat closely contained. | 09 Sep 14:45 |
| quaid | I was personally totally unsurprised that I was kept in the dark nearly the entire time the whole world was. | 09 Sep 14:45 |
| spoleeba | im not signing an NDA just to be on the board | 09 Sep 14:45 |
| f13 | It's pretty easy to tear this apart post-incident, but in the heat of the moment it did not seem prudent to strain the Fedora/RH relationship by blatingly ignoring requests. | 09 Sep 14:45 |
| quaid | since I have no role in Fedora or RHT that puts me in touch with infrastructure | 09 Sep 14:45 |
| f13 | now, had we thought of it, we likely could have gotten approval to inform the full Fedora board of what was going on, and kept them in formed. | 09 Sep 14:45 |
| --- ChanServ (ChanServ@services.) changed mode: +v gregdek | 09 Sep 14:45 | |
| quaid | I expected that the IT professional colleagues and community members were doing the right thing. | 09 Sep 14:46 |
| spot | On question 1: No "bogusly-signed" Fedora packages were distributed via any official mechanism. No "bogusly-signed" RHEL packages were distributed via any official mechanism (RHN). | 09 Sep 14:46 |
| f13 | the question really is "what value would that have added" other than having more people who could not/should not tell anybody else. | 09 Sep 14:46 |
| quaid | f13: +1 | 09 Sep 14:46 |
| spoleeba | I think we can do a lot just by having a generally useful infrastructure incident plan..with known interaction points with Red Hat | 09 Sep 14:46 |
| stickster | f13: I did think of it, but it was simply not possible given the sensitivity of the investigation. | 09 Sep 14:46 |
| quaid | f13: I was hapy to not know because it wasn't my job to be in the know. | 09 Sep 14:46 |
| f13 | stickster: fair point. | 09 Sep 14:46 |
| quaid | spoleeba: +1 that is a great shakeout from this | 09 Sep 14:46 |
| quaid | obvious holes in our communication plan, etc. | 09 Sep 14:46 |
| quaid | but only after the fact | 09 Sep 14:47 |
| f13 | absolutely | 09 Sep 14:47 |
| quaid | how do you know is too much or too little for community folks? | 09 Sep 14:47 |
| f13 | lmacken has agreed to work on an incident response plan | 09 Sep 14:47 |
| quaid | to be honest | 09 Sep 14:47 |
| mdomsch | if it had been solely a Fedora thing, we would have treated it differently I'm sure | 09 Sep 14:47 |
| quaid | if we sent out the same thing each day, it would have been appreciated, aiui | 09 Sep 14:47 |
| quaid | mdomsch: +1 | 09 Sep 14:47 |
| stickster | And we do have to understand that there are still places where our project touches what is essentially a commercial entity, Red Hat. | 09 Sep 14:47 |
| f13 | mdomsch: I think so too. Fedora isn't legally responsible to a number of customers (: | 09 Sep 14:47 |
| skvidal | mdomsch: _maybe_ | 09 Sep 14:47 |
| quaid | stickster: same is true in other cases | 09 Sep 14:47 |
| quaid | what if something had happened at a hosting provider that has Fedora boxen? | 09 Sep 14:48 |
| skvidal | mdomsch: Given what I've understood after the event | 09 Sep 14:48 |
| quaid | we would have been in the same situation | 09 Sep 14:48 |
| stickster | Our incident response plan will need to recognize that in some situations there are going to be decision points that lead into Red Hat where we can't dictate how every detail will run | 09 Sep 14:48 |
| stickster | Although we can set the stage -- | 09 Sep 14:48 |
| skvidal | I'm not at all clear that we could have announced the status of things if it were purely a fedora intrusion | 09 Sep 14:48 |
| skvidal | not w/o clearance from red hat legal, at the least | 09 Sep 14:48 |
| spoleeba | stickster, and in the future.. possibly not Red Hat...if we have donated infrastructure services from other companies | 09 Sep 14:48 |
| stickster | - by setting up reasonable expectations internally and externally for how to communicate incidents like this. | 09 Sep 14:48 |
| ctyler | I don't think anyone really minded being in the dark, but it seemed like a long time to be in the dark, especially with production systems out there | 09 Sep 14:48 |
| f13 | skvidal: you make a good point, and I think every incident will be different and have slightly different results | 09 Sep 14:49 |
| spot | ctyler: it takes a LONG time to audit everything in cvs. | 09 Sep 14:49 |
| skvidal | f13: I think from here on out we can expect a lot more scrutiny in public announcements of anything like this | 09 Sep 14:49 |
| skvidal | that's just my impression, though | 09 Sep 14:49 |
| quaid | ctyler: I guess what bothered me during and after was the presumption that Fedora leadership had left community members high and dry in an effort to save RHT's bacon. | 09 Sep 14:49 |
| skvidal | quaid: we left community members b/c we had no choice in the matter | 09 Sep 14:49 |
| skvidal | wait | 09 Sep 14:49 |
| skvidal | I'm wrong | 09 Sep 14:49 |
| f13 | ctyler: it's pretty hard not to infuse somebody with a false sense of security, while at the same time not infusing them with a false sense of insecurity | 09 Sep 14:50 |
| skvidal | our choices were 'do not talk about it or be in breach of contract' | 09 Sep 14:50 |
| mdomsch | quaid, I'm not sure how common that perception i | 09 Sep 14:50 |
| mdomsch | is | 09 Sep 14:50 |
| quaid | mdomsch: it's what Byfield's article is around | 09 Sep 14:50 |
| mdomsch | AFAICT, people "in the know" worked their tails off to protect our end users - our #1 priority | 09 Sep 14:50 |
| stickster | I tried not to take any presumptions personally. | 09 Sep 14:50 |
| quaid | total ignorance of IT practice in favor of freaking out about Red Hat. | 09 Sep 14:50 |
| ctyler | But there's a difference between software that just says "please wait" and software that says "please wait" and has a spinning icon so you know it hasn't crashed | 09 Sep 14:50 |
| spevack | stickster: there are a number of follow-ups whenever you are all ready for them. | 09 Sep 14:51 |
| ctyler | we need the spinning icon | 09 Sep 14:51 |
| quaid | but anyway, that's an old and dull adze. | 09 Sep 14:51 |
| spot | spevack: okay, lets hear those follow-ups | 09 Sep 14:51 |
| quaid | ctyler: ok, fair; even daily repeats of previous announcements is better than nothing. | 09 Sep 14:51 |
| f13 | have we sufficiently hit the first 3 questions? | 09 Sep 14:51 |
| spevack | i think you have. and the follow-ups will provide more opportunity. | 09 Sep 14:51 |
| spot | well, i answered Q1. | 09 Sep 14:51 |
| skvidal | f13: there's still a little un-kicked horse, I'm sure | 09 Sep 14:51 |
| spevack | so let me paste that all in. | 09 Sep 14:51 |
| spevack | and then give it back to you guys | 09 Sep 14:51 |
| spevack | 09 Sep 14:52 | |
| spevack | 09 Sep 14:52 | |
| f13 | k | 09 Sep 14:52 |
| stickster | I think a lot of people were frustrated about the lack of information, or the timing, and I truly sympathize. | 09 Sep 14:52 |
| spevack | 09 Sep 14:52 | |
| spevack | vwbusguy: "I'd like to know what security changes in regard to the repos / updates and stuff, if any other than the key change, if it hasn't been discussed yet" | 09 Sep 14:52 |
| spevack | 09 Sep 14:52 | |
| spevack | LyosNorezel: "why is RH's blanket restraint order still in effect? the problem's over... no? why not give a detailed explanation?" | 09 Sep 14:52 |
| spevack | 09 Sep 14:52 | |
| spevack | vallor: "sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board security have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other?" (Max edit: it was mentioned already that fedora-board-list @ redhat.com is private to just the Board.) | 09 Sep 14:52 |
| spevack | 09 Sep 14:52 | |
| spevack | go at it | 09 Sep 14:52 |
| spot | LyosNorezel: the investigation is _still_ ongoing. | 09 Sep 14:52 |
| stickster | As for #2, it's *not* over. | 09 Sep 14:52 |
| skvidal | spevack: it's an ongoing investigation - the problem is not resolved | 09 Sep 14:52 |
| quaid | 09 Sep 14:52 | |
| * quaid votes that stickster give the first set of answers this time | 09 Sep 14:52 | |
| f13 | #1) we've had a number of chagnes coming up that were unrelated to the break in | 09 Sep 14:53 |
| stickster | vwbusguy: The changes you're seeing are all happening openly and transparently. | 09 Sep 14:53 |
| f13 | gpg signing of repodata, a more secure signing server, and better signing practices had all been under discussion before the breakin, and made more important because of the break in | 09 Sep 14:53 |
| stickster | No one is trying to make changes to Fedora on the sly. Period, full stop. | 09 Sep 14:53 |
| mdomsch | 09 Sep 14:54 | |
| * mdomsch is amazed, and proud, that the Fedora Infrastructure team could rebuild _every single box_ in a week, to ensure they were all clean | 09 Sep 14:54 | |
| spevack | stickster: also, nirik has mentioned that he does not feel that his and lwnjake's initial question was addressed. It was (paraphrasing) "when will we find out more about what happened?" | 09 Sep 14:54 |
| skvidal | mdomsch: I don't think that's really at issue | 09 Sep 14:54 |
| f13 | vallor: lmacken is part of the Fedora security SIG and he's the primary driver for the incident response plan. | 09 Sep 14:54 |
| f13 | vallor: the plan will be developed in teh open and will be open to comment if you'd like to participate. | 09 Sep 14:54 |
| mdomsch | skvidal, it was part of the recovery plan | 09 Sep 14:54 |
| f13 | Unfortunately we'll find out more when ... we find out more. | 09 Sep 14:54 |
| stickster | vallor: And I think we'd continue to use fedora-board-list for any such conversations, with the understanding -- as always -- that we try and use it as little as possible, and keep discussions open and transparent to the maximum extent. | 09 Sep 14:55 |
| skvidal | mdomsch: 'recovery plan' might be a bit strong of a statement | 09 Sep 14:55 |
| spevack | f13: vallor asks me to give you his thanks. | 09 Sep 14:55 |
| skvidal | mdomsch: I mean the plan was more or less 'pull back nuke everything from orbit' | 09 Sep 14:55 |
| f13 | the investigation is still ongoing, and while I don't have any knowledge of it, I wouldn't be surprised if there is law enforcement involved somewhere. | 09 Sep 14:55 |
| mdomsch | granted | 09 Sep 14:55 |
| skvidal | mdomsch: we opted to scorch the earth rather than second guess | 09 Sep 14:55 |
| stickster | skvidal: With which plan I was in 100% agreement. | 09 Sep 14:56 |
| spot | lwnjake: when we're told that we can by the parties running the investigation, not a second before, and not a second later. | 09 Sep 14:56 |
| skvidal | right - but a plan with 1 step is not quite a plan :) | 09 Sep 14:56 |
| * stickster +1's spot. | 09 Sep 14:56 | |
| spot | 09 Sep 14:57 | |
| * spot would like to point out that Byfield's chicken little attitude is really irrational. No other FOSS publicly traded company (note that I said company) has ever had to deal with anything like this before. | 09 Sep 14:57 | |
| spot | yeah, it wasn't as good as it could be, but in true FOSS fashion, we're taking lots of notes and submitting patches | 09 Sep 14:58 |
| skvidal | spot: it would be nice to get something resembling a status update from folks internal | 09 Sep 14:58 |
| skvidal | spot: I agree with that concern, entirely | 09 Sep 14:58 |
| spot | it would be nice, and hopefully we'll have something new soon. | 09 Sep 14:59 |
| spevack | stickster: when the Board is ready, there are two additional questions on different topics. | 09 Sep 14:59 |
| spevack | then i'll start looking for other follow-ups in the public room | 09 Sep 14:59 |
| stickster | Anything else on the intrusion matter? | 09 Sep 15:00 |
| stickster | If not, fire away spevack! | 09 Sep 15:00 |
| spevack | ok | 09 Sep 15:00 |
| spevack | vallor: "sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board security have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other?" (Max edit: it was mentioned already that fedora-board-list @ redhat.com is private to just the Board.) | 09 Sep 15:00 |
| spevack | wait, wrong paste | 09 Sep 15:00 |
| spevack | i already did that one | 09 Sep 15:00 |
| spevack | 09 Sep 15:00 | |
| spevack | 09 Sep 15:00 | |
| spevack | 09 Sep 15:00 | |
| spevack | bryan_kearney1: I would like to get feedback on the AOS Trademark request (Max edit: What is AOS, for those who don't know? Also, bryan is referring specifically to the SELinux question, and the "minimal set of technical requirements to call something fedora" question) | 09 Sep 15:00 |
| stickster | AOS is appliance operating system I think | 09 Sep 15:01 |
| f13 | we just spent 20 minutes arguing about that earlier in the meeting | 09 Sep 15:01 |
| f13 | one problem with "release early, release often" when it comes to policy is that sometimes we're not ready :/ | 09 Sep 15:01 |
| spevack | f13: bryan is typing a modified/follow-up question right now | 09 Sep 15:01 |
| spevack | hang on | 09 Sep 15:01 |
| spoleeba | f13, does the version he recently submitted with selinux set to permissive work for you..until the new trademark policy and its technical measures go into effect? | 09 Sep 15:02 |
| stickster | Bryan has been actively partipating in the TM guidelines stuff, partly because it directly affects a projet on which he's working | 09 Sep 15:02 |
| f13 | also, a lot of discussions got put to the side when the "incident" happened, and we're slowly bringing things back into the foreground | 09 Sep 15:02 |
| spot | bryan_kearney1: congratulations! you have stumbled into an unimplemented section of the map. beware of grues. we're scribbling as fast as we can. ;) | 09 Sep 15:02 |
| spevack | while we wait for bryan's follow-up, here's the other question: | 09 Sep 15:02 |
| spevack | 09 Sep 15:02 | |
| spevack | 09 Sep 15:02 | |
| spevack | inode0: less touchy I think question: why no new installation media? seems a large pain to install systems with keys that we need to replace after installation?! (Max edit: rdieter says this was possibly addressed in rel-eng meetings.) | 09 Sep 15:02 |
| f13 | spoleeba: maybe? I honestly haven't taken a moment to look at it, I've been entirely focused on getting updates out to users once again. | 09 Sep 15:02 |
| f13 | oh, and beta. | 09 Sep 15:02 |
| stickster | OK, let's answer John's question. | 09 Sep 15:03 |
| spot | inode0: because that doesn't help any of the already burned media out there, and for doing something like 9.1 there would be export approval/legal to go thru | 09 Sep 15:03 |
| f13 | We decided not to respin media because the content on the media is verified via other means than the keys on teh packages | 09 Sep 15:03 |
| stickster | I think the human-power cost of this is far too high vs. the current plan. | 09 Sep 15:03 |
| f13 | and that there was already a rather large amount of pre-mastered media out in the wild, that there was no real good reason to invalidate | 09 Sep 15:03 |
| spoleeba | f13, right... right... i realize.. im just saying that for in the meanwhile if his new kickstart is okay...then we should bless that for F10 timeframe | 09 Sep 15:03 |
| quaid | spoleeba is correct | 09 Sep 15:03 |
| f13 | spoleeba: it's on my list to look at. | 09 Sep 15:03 |
| quaid | f13: thanks | 09 Sep 15:04 |
| quaid | that's the blocker since we have no guidelines in place :D | 09 Sep 15:04 |
| spevack | 09 Sep 15:04 | |
| spevack | bryan_kearney1: AOS spin is still awaiting trademark approval, with selinux enabled (--permissive). We need additional feedback. I made changes per the feedback I got, and have gotten no new feedback | 09 Sep 15:04 |
| spevack | 09 Sep 15:04 | |
| notting | 'see the minutes from earlier in the meeting'? | 09 Sep 15:04 |
| spoleeba | f13, as to media... are we going to leave the new release rpm with the new key..signed with the old key..up until F9 eol? | 09 Sep 15:04 |
| f13 | we verified that the content on the media is good, we're going to re-sign the SHA1SUM file with the new key, and we're preparing our repos and mirrormanager so that fresh installs from those media will only ever hit our mirrors (the ones we control) for the updates, which will get them the transition bits to point them to the newly signed content. | 09 Sep 15:05 |
| spot | please hold, while we determine what the minimum technical requirements will be (once we receive them from the Spins team). | 09 Sep 15:05 |
| f13 | spoleeba: that is the plan. The repo will hold that and the PK updates and only those. Mirrormanager will force all requests to those repos into mirrors we control. | 09 Sep 15:05 |
| spoleeba | f13, excellent... so a very small mirror pool specifically for those updates | 09 Sep 15:05 |
| f13 | yes | 09 Sep 15:06 |
| spoleeba | f13, yeah mirrormanager! | 09 Sep 15:06 |
| mdomsch | spoleeba, d.f.r.c isn't really a small pool :-) | 09 Sep 15:06 |
| spevack | stickster: there are currently no other questions queued up | 09 Sep 15:06 |
| spoleeba | mdomsch, small is relative | 09 Sep 15:06 |
| stickster | bryan_kearney1: to add to what notting said, I think you're seeing the effects of many of the parties involved being wrapped up in the work to get F8/F9 updates back on the horse | 09 Sep 15:06 |
| quaid | question: | 09 Sep 15:07 |
| quaid | what is going on with secondary marks? | 09 Sep 15:07 |
| quaid | 09 Sep 15:07 | |
| * quaid waits to see if that question is clear enough :) | 09 Sep 15:07 | |
| mdomsch | quaid, the guidelines call for a new secondary mark | 09 Sep 15:08 |
| mdomsch | "Powered by Fedora", "Derived from Fedora", something like that | 09 Sep 15:08 |
| stickster | There are three questions -- Can we have one? What can it say? What does it look like? | 09 Sep 15:08 |
| spoleeba | mdomsch, i seem to remember this discussion happening before..way way way back wehn | 09 Sep 15:08 |
| notting | it has happened before. | 09 Sep 15:09 |
| mdomsch | and will again | 09 Sep 15:09 |
| stickster | So far, the answers I have, from talking with Red Hat Legal, are (1) Probably, (2) Not sure yet, (3) Not sure yet. | 09 Sep 15:09 |
| mdomsch | stickster, but we could get the artwork team to start 3) | 09 Sep 15:09 |
| f13 | am I watching a BSG episode? | 09 Sep 15:10 |
| spoleeba | mdomsch, i could suggest a briefcase with an infinite symbol on it...oh wait..nevermind | 09 Sep 15:10 |
| stickster | Well, it's very possible we can use the existing mark as *part* of the secondary mark. | 09 Sep 15:10 |
| mdomsch | f13, she was boxed | 09 Sep 15:10 |
| stickster | i.e. "Based on Fedora." | 09 Sep 15:10 |
| stickster | Current legal minds are telling me that's not necessarily verboten. | 09 Sep 15:10 |
| spoleeba | stickster, i like these new legal minds | 09 Sep 15:11 |
| mdomsch | "Fedora Inside" | 09 Sep 15:11 |
| mdomsch | + chimes | 09 Sep 15:11 |
| stickster | Something tells me they won't be nearly as happy about a secondary mark that infringes another trademark :-D | 09 Sep 15:11 |
| mdomsch | stickster, spoleeba +1 | 09 Sep 15:11 |
| stickster | So until we know what text we can use, and whether we can use the official logo, as part of the secondary mark, starting a design process is probably premature | 09 Sep 15:12 |
| quaid | so this is a depedency on these trademark guidelines being finished. | 09 Sep 15:13 |
| stickster | Especially if it comes down to, "Sure, use 'Based on Fedora'" with the official logo in XX specific configuration | 09 Sep 15:13 |
| ctyler | so eom+art team? | 09 Sep 15:13 |
| stickster | Because that art design will probably take about 5 minutes. | 09 Sep 15:13 |
| stickster | In fact, I already did one myself. | 09 Sep 15:13 |
| mdomsch | 09 Sep 15:13 | |
| * mdomsch gets out fingerpaints | 09 Sep 15:13 | |
| ctyler | uh oh | 09 Sep 15:13 |
| stickster | (but will leave it to real artists and not dilettantes like myself) | 09 Sep 15:13 |
| stickster | ctyler: I really, really hope so. | 09 Sep 15:13 |
| quaid | this rolls back a bit to the AOS question | 09 Sep 15:14 |
| stickster | So quaid +1, the guidelines need to be finished. | 09 Sep 15:14 |
| stickster | Meaning that if there's a further dependency on technical guidelines, those need to be done pronto. | 09 Sep 15:14 |
| quaid | the AOS with SELinux removed could use the secondary marks ... if they exist in the future. | 09 Sep 15:14 |
| stickster | FESCo discussed this in their recent meeting too. | 09 Sep 15:14 |
| stickster | sorry, indefinite "this" | 09 Sep 15:14 |
| stickster | FESCo discussed technical Spin requirements in their recent meeting too. | 09 Sep 15:15 |
| stickster | We should make sure that we, as the Board, are working in coordination with FESCo | 09 Sep 15:16 |
| * stickster ponders. | 09 Sep 15:16 | |
| stickster | If it's super-duper easy for anyone to use the secondary mark, and that secondary mark is a great pointer to the official project... | 09 Sep 15:17 |
| stickster | Why will people want to bother with the primary mark? | 09 Sep 15:17 |
| stickster | That's a rhetorical questions. | 09 Sep 15:17 |
| stickster | *questions | 09 Sep 15:17 |
| * stickster gives up and shoots typist. | 09 Sep 15:17 | |
| ctyler | stickster has quit (Shot) | 09 Sep 15:17 |
| stickster | heh | 09 Sep 15:17 |
| stickster | OK, traffic has died, I think spevack fell asleep listening to me ramble, and there may be an empty question queue. | 09 Sep 15:18 |
| stickster | spevack: Shall we call it? | 09 Sep 15:19 |
| spoleeba | stickster, congratz you have just completed the full discussion about the value and danger of the sencondary mark..all inside your own head | 09 Sep 15:19 |
| spoleeba | stickster, you will fail to sleep this evening | 09 Sep 15:19 |
| f13 | stickster: you mean like the debian official mark vs the one everybody actually uses? | 09 Sep 15:19 |
| stickster | f13: That's precisely why I like the idea of embedding words in the mark. | 09 Sep 15:19 |
| f13 | 09 Sep 15:20 | |
| * f13 too | 09 Sep 15:20 | |
| spevack | stickster: sure | 09 Sep 15:20 |
| f13 | I think it's a worry, but something we'll just have to deal with | 09 Sep 15:20 |
| f13 | by continuing to make things marked with the official mark relevant and exciting to use | 09 Sep 15:20 |
| mdomsch | It's more likely official spins with the full mark will get hosting from the project? | 09 Sep 15:20 |
| spevack | stickster: one last thing | 09 Sep 15:20 |
| spevack | stickster: then the queue is empty | 09 Sep 15:20 |
| f13 | and if our best competition comes from outselves, isn't that a good ting? | 09 Sep 15:20 |
| stickster | spevack: Oh no, that's always a bad sign. | 09 Sep 15:20 |
| spevack | spevack: Not sure if this is applicable to the previous | 09 Sep 15:20 |
| spevack | discussoin in the board but, So the patches that have been | 09 Sep 15:20 |
| stickster | :-D | 09 Sep 15:20 |
| spevack | made and fixes that were applied to the infrastructure, did | 09 Sep 15:20 |
| spevack | they help in solving this issue? | 09 Sep 15:20 |
| spevack | ugh, sorry for the bad formatting | 09 Sep 15:20 |
| f13 | mdomsch: I'm almost of the opinion that only things hosted/produced officially by the project get the full mark, but I haven't fully thought that out yet. | 09 Sep 15:21 |
| spot | OUR MAGICAL FAIRY SHIELD NOW PROTECTS US FROM ALL INVADERS, FOREIGN AND DOMESTIC. | 09 Sep 15:21 |
| f13 | spot: that's a +3 FAIRY SHIELD mind you | 09 Sep 15:21 |
| stickster | We believe that the changes we've made did help, yes. It would be silly for us to claim we're now 100% IMMUNE from bad peeplez | 09 Sep 15:21 |
| stickster | - but -- | 09 Sep 15:21 |
| f13 | many of the changes we made will help us to recover from future attacks | 09 Sep 15:22 |
| stickster | as all security practitioners know, security's a process, not an end state | 09 Sep 15:22 |
| spot | +3 FAIRY SHIELD HAS A +1 AGAINST TROLLS | 09 Sep 15:22 |
| f13 | leaving us less with our pants hanging down | 09 Sep 15:22 |
| f13 | so that next time, we may not have to nuke from orbit and spend a month trying to get updates out again | 09 Sep 15:22 |
| ctyler | f13: So then a spin with the full mark could use the Fedora infrastructure for spin distribution? That's a reason to aim for it over the secondary mark. | 09 Sep 15:22 |
| spevack | 09 Sep 15:22 | |
| * spevack has nothing else from #fedora-board-public | 09 Sep 15:22 | |
| spoleeba | mdomsch, i think im firmly in the camp that we are going going to be officially hosting spins which go through the release process..regardless of primary/secondary mark | 09 Sep 15:23 |
| stickster | OK, let's call it. | 09 Sep 15:23 |
| f13 | cable guy is here, I'm out. | 09 Sep 15:23 |
| stickster | You heard the man. | 09 Sep 15:23 |
| stickster | </meeting> | 09 Sep 15:23 |
Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!