From Fedora Project Wiki
Fedora Project Board Meeting :: Tuesday 2008-09-09
Roll Call
Attendees: Everyone on #fedora-board-meeting
Codecs (2008-05-13)
- Need to restart discussion on fedora-advisory-board redhat com to get plans in place at the start of F10
- Chris Aillon to make contact with Bastien Nocera to find out what current plans are
- Waiting on bug 438225 to proceed
- this change will enable auto-provide for codec information
- For Fedora 10 removing Codeina and using the distribution's built-in mechanism to install packages (if 438225) is implemented
- For Fluendo to continue to provide codecs to Fedora they will need to provide them as packages in a yum repo
- This errs on the side of more "free-ish" software
RESOLUTION:
- ACTION :: Paul - request feature page from developer
- FESCo should track bug 438225 since this falls into their mandate
- FOLLOWUP (2008-08-05):
- Feature page still in the works and FESCo is tracking bug 438225
- FOLLOWUP (2008-09-09):
- Paul Frields has pinged the RPM dev team again about that feature page, but having difficulty reaching them
- Panu has said that he will handle bug 438225
Trademark Guidelines (2008-07-01)
- Board would like to help guide the process of expanding the use of the Fedora trademark
- Helpful to brainstorm by thinking of Fedora trademark usage in four ways:
- Things the board wants Fedora to be able to do with the trademark
- Things the board wants the Fedora community to be able to freely do with trademark
- Things the board wants other people to reasonably be expected to be able to do, but ask the Fedora Board first
- Things that the board never wants people to use the Fedora trademark for
- OWNER: Paul Frields
- ACTIONS:
- circulate ideas and foster discussion on fedora-advisory-board@redhat.com list
- return feedback to the board for discussion on: 2008-08-05
- Latest updates: User:Pfrields/NewTrademarkGuidelines (see also discussion tab)
- FOLLOW-UP (2008-08-05):
- Board definitely wants a Fedora trademark of some sorts for spins and other uses--derivative works
- Still unsure on how best to proceed on issues related to:
- official spins
- unofficial spins
- branded USB keys
- OEM pre-loads
- Fedora business cards
- Fedora apparel and conference materials (see section on Non-software goods)
- Everyone should add uncovered use cases to wiki page (see above) ASAP
- Paul Frields will be working with Red Hat Legal starting this week to move the process forward
- FOLLOW-UP (2008-09-09):
- RH Legal is reviewing them and the newest state of that page incorporates their most recent review
- would really like to have that wrapped up by the end of the month if at all possible.
- Related discussion about SELinux being required for spins
- This should not block or impact trademark work
- Will add a section to trademark guidelines to encompass issues like SELinux under using the wording "pursuant to other technical requirements"
- ACTIONS:
- Continue discussion about SELinux on fedora-advisory-board@redhat.com list
- Release Engineering and Spins SIG should draw up minimum technical requirements to use the Fedora name
Board Questions & Answers
- Topics covered included:
- Infrastructure intrusion
- Creating a response plan
- SELinux, custom Spins, and trademark usage
- Infrastructure secured
- See transcript (below) for details
IRC Transcript
The public discussion IRC log is at Meeting:Board_Public_IRC_log_20080909.
stickster | <meeting> | 11:02 |
---|---|---|
spoleeba | here | 11:02 |
<stickster The Secretary should be arriving in a moment :-) | 11:03 | |
spoleeba | stickster, stalin? | 11:03 |
quaid | hey kids | 11:03 |
stickster | Hi everybody. Max is moderating in #fedora-board-public, and I think we have a couple short agenda items to get out of the way | 11:04 |
* stickster gives mic to poelcat | 11:04 | |
poelcat | first followup item is: Board/Meetings/2008-08-05#Codecs_.282008-05-13.29 | 11:05 |
poelcat | fesco meets tomorrow so if a feature page is coming it needs to be submitted ASAP | 11:05 |
mdomsch | everyone see http://itmanagement.earthweb.com/osrc/article.php/3770216/The+Fedora-Red+Hat+Crisis.htm | 11:06 |
mdomsch | ? | 11:06 |
mdomsch | that's why I love transparency and meeting minutes | 11:06 |
skvidal | mdomsch: yah - I read it | 11:06 |
quaid | OMGCRISIS! | 11:06 |
spot | does the Flash have to die this time? | 11:06 |
stickster | poelcat: I've pinged the RPM dev team again about that feature page. | 11:07 |
f13 | sorry I'm late, turns out 'cheese' will crash your system if you try to take a video. | 11:07 |
stickster | poelcat: At worst, this may fit into the overall 'new RPM 4.6' feature category | 11:07 |
stickster | And we could call out specfic new RPM features as desired | 11:07 |
spoleeba | f13, oh thats a new feature | 11:08 |
stickster | Maybe we should call that one out too? | 11:08 |
spoleeba | mdomsch, do i really have to read it? | 11:08 |
mdomsch | spoleeba, you can surmise from the title | 11:08 |
stickster | poelcat: I believe that Panu's on travel today but I've also emailed jnovy and ffesti | 11:09 |
stickster | Panu's said that he will have this in by the final dev freeze. | 11:09 |
spoleeba | mdomsch, i do love how he surmizes how i feel about the situation as a Board member | 11:09 |
* stickster not ignoring the conversation thread on the Byfield article, just trying to get through the agenda | 11:10 | |
poelcat | anything else to note on the "codecs" topic? | 11:10 |
mdomsch | stickster, agenda++ | 11:10 |
quaid | mdomsch: your fault! :D | 11:11 |
stickster | Oh, hang on -- | 11:11 |
f13 | 'by the final dev freeze' seems rather late if we need to do something on top of this feature in other packages. | 11:11 |
stickster | Yeah, that's why I've sent a couple emails about it. | 11:12 |
stickster | The most recent one was yesterday. | 11:12 |
stickster | I checked the RPM git repos and didn't see the proposed patch in there. | 11:12 |
f13 | hrm. | 11:14 |
spot | do we need to say anything else about this or can we move on? | 11:15 |
stickster | I invited jnovy to talk about it, but let's move on for now. | 11:15 |
stickster | poelcat: next | 11:15 |
poelcat | prograess on update to trademark usage guidelines | 11:16 |
stickster | Ah | 11:16 |
stickster | User:Pfrields/NewTrademarkGuidelines | 11:16 |
stickster | I've been actively working on them, through last week and up until yesterday | 11:16 |
stickster | RH Legal is reviewing them, and the newest state of that page incorporates their most recent review. | 11:16 |
stickster | So, progressing. | 11:16 |
poelcat | ref: Board/Meetings/2008-08-05#Trademark_Guidelines_.282008-07-01.29 | 11:17 |
stickster | I'd really like to have that wrapped up by the end of the month if at all possible. | 11:17 |
stickster | (preferably sooner) | 11:17 |
spoleeba | stickster, uhm... there needs to be a decision about whether trademark usage is going to require technical specifics | 11:17 |
mdomsch | stickster, "not disparaging to Red Hat or the Fedora Project" | 11:18 |
mdomsch | to what extent? | 11:18 |
mdomsch | presumably the board would have to enforce | 11:18 |
stickster | spoleeba: we can add a statement that says usage is pursuant to separate technical requirements | 11:18 |
* mdomsch is not in favor of requiring selinux | 11:19 | |
stickster | spoleeba: Please use the "discussion" tab and enter your comments there | 11:19 |
spoleeba | stickster, i dont have a problem with it as it stands..... there are others | 11:19 |
ctyler | stickster: I have at least one more use case for you, too | 11:19 |
stickster | spoleeba: They're free to do the same :-) | 11:19 |
stickster | spoleeba: I've invited the community repeatedly to help with use cases, etc. | 11:20 |
spoleeba | stickster, here's my point.. i dont think we can "wrap this up in a month" considering what we just had a discussion in fab | 11:20 |
stickster | Many have already, including Jeroen, BKearney, Max, others... | 11:20 |
* stickster continues to happily accept more input | 11:20 | |
mdomsch | EOM is a decent goal though | 11:21 |
quaid | +1 to pursuant to other technical requirements | 11:21 |
quaid | then we can update that list on going without jiggling the trademark rules with details it don't need | 11:22 |
stickster | quaid: Right. | 11:22 |
stickster | Legal documents and technical requirements are two different kettles of fish. | 11:22 |
quaid | thus, eomonth can work | 11:22 |
stickster | buckets of meat? | 11:22 |
quaid | eww^2 | 11:22 |
stickster | baskets of asparagus | 11:23 |
f13 | mdomsch: I'm also not really in favor of seeing something out there under the Fedora name that /doesn't/ ship with selinux | 11:23 |
spoleeba | stickster, we must decide if the Board is going to continue to be one of the groups who gets to decide on technical requirements or not | 11:23 |
stickster | (for the veggiesauri) | 11:23 |
spot | i think i dated that once in college. | 11:23 |
f13 | mdomsch: under the full Fedora name, not a 'based on Fedora' or 'built on Fedora' name | 11:23 |
quaid | at least Kettle of Fish was a decent dive bar in Greenwich Village | 11:23 |
* f13 loads the wiki page to comment | 11:23 | |
quaid | +1 to continuing the SELinux et al discussion on f-a-b, as part of the technical kettle | 11:23 |
spoleeba | stickster, i have no problem with a moving target for technical requirements..but as the trademark policy stands as drafted the Board isnt going to be building those roadblocks | 11:24 |
spoleeba | stickster, and if the Board shouldnt be doing it..then we should firmly state who should be doing it | 11:24 |
* spot coughs *rel-eng* | 11:24 | |
quaid | spoleeba: explain "isn't going" | 11:24 |
spot | sorry. something stuck in my throat. | 11:24 |
stickster | spoleeba: The page indicates that the trademark owner always retains rights to the TMs, and the Board is always responsible for enforcing compliance. | 11:25 |
f13 | erm, I thought the point of the new policy was that /nobody/ had to review it, there was no blocker | 11:25 |
spoleeba | stickster, enforcing compliance.. and defining the technical hurdles are not the same | 11:25 |
stickster | RelEng has the Spins group tapped to create the technical requirements | 11:25 |
spoleeba | f13, that was what i thought as well | 11:25 |
stickster | f13: Correct? | 11:25 |
f13 | stickster: those are for things that Fedora as a project puts out for users to consume | 11:26 |
mdomsch | as long as usage is within the policy, yes, no apriori review | 11:26 |
f13 | stickster: but I thought under the new guidelines, anybody could make whatever they want, as long as it adheres to the guidelines and publish it as "Fedora" | 11:26 |
f13 | ergo there is no chance for somebody like releng to vette it for technical items | 11:26 |
notting | well, was aos being reviewed under the new or old guidelines? | 11:26 |
f13 | therefor, we need to codify technical restrictions into the policy | 11:27 |
spoleeba | mdomsch, the question becomes which group is tasked with coming up with the moving target policy | 11:27 |
notting | i don't recall saying one way or another that they can't be Fedora if they turned off selinux. i was just curious *why* they were doing it | 11:27 |
spot | notting: you should talk to bryan_kearney1 | 11:28 |
notting | spot: i was the first post on the thread | 11:28 |
mdomsch | notting, f13 would like to say "if they turn of selinux, it's not Fedora". I'm not of the same opinion. :-) | 11:28 |
quaid | f13: why codify in to the policy? the policy can just state, "follow this moving target over here or don't use the mark" | 11:28 |
f13 | mdomsch: to be the top tier trademark, "Fedora", I feel that there should be a bare minimum it meets | 11:28 |
f13 | yum, selinux, etc.. | 11:29 |
ctyler | f13: that minimum should be coded somewhere else and the policy should point to it | 11:29 |
f13 | anything less than that falls to the next tier, Based on Fedora or whatever | 11:29 |
ctyler | so the policy doesn't change when the tech does | 11:29 |
f13 | ctyler: that's acceptable | 11:29 |
f13 | it still has the same net effect though | 11:29 |
spoleeba | quaid, I really would like to avoid having the Board be the group which codifies the moving policy... id rather have the Board just enforce it or arbitrate when the group who does deal with the policy gets deadlocked | 11:29 |
f13 | policy will change over time | 11:29 |
stickster | OK, so far I see a lot of us in essentially violent agreement. | 11:30 |
quaid | spoleeba: the Board cannot absolve itself of the responsibility, it can assign it to other people, and I think that chain has clearly been established! | 11:31 |
quaid | Board asked Releng, which has asked Spins, right? | 11:31 |
stickster | At least as far as decoupling and linking the technical requirements for TM usage. | 11:31 |
quaid | yes | 11:31 |
spoleeba | quaid, the fab discussion would suggest...otherwise | 11:31 |
quaid | spoleeba: don't do that | 11:32 |
quaid | spoleeba: just because one is on the Board doesn't mean you cannot be involved in the assigned task | 11:32 |
quaid | spoleeba: you saw people speaking as individuals | 11:32 |
spoleeba | quaid, but not in the context of the spins sig's communication channel | 11:32 |
quaid | for example, I am a bit of an SELinux historian and feel strongly about it, so I spoke up | 11:32 |
spoleeba | quaid, my point is... the selinux came up..as part of the Board's step in the process... | 11:32 |
f13 | guys | 11:33 |
quaid | simply because it hasn't been codified | 11:33 |
quaid | by anyone yet | 11:33 |
f13 | we're talking about multiple things here | 11:33 |
spot | perhaps we should ask the Spins group to provide a list of "suggested minimum technical requirements" for a spin. | 11:33 |
f13 | there are the things that Fedora produces itself, which we have a clear path of review for | 11:33 |
spot | then we can argue about that ad infinitum | 11:33 |
f13 | then there are the things that individuals would be producing, under the name of Fedora | 11:33 |
f13 | where there is 0 review path, and 0 proposed review path | 11:33 |
spoleeba | quaid, are we always going to see that happen? new policy will come up at the Board step..and then have to be pushed back to the Spin SIG to deal with? | 11:33 |
f13 | my only issue is with the latter, not the former. | 11:33 |
f13 | spoleeba: my issue doesn't really involve the spin sig | 11:34 |
quaid | spoleeba: Spins/Releng needs to show the technical list early enough to the Board to get input, that's all | 11:34 |
f13 | because my issue is with the folks that will be producing content outside the spins process | 11:34 |
quaid | f13: yes, and that discussion belongs in a thread about what technical requirements we get from Spins/releng; so you can make sure SELinux is on that list with your releng hat, and we can debate in our final vetting at the Board side. | 11:35 |
quaid | spot: +1 to asking Spins (+ releng) to come up with the initial technical list | 11:35 |
quaid | and yes I think it does need Board vetting. | 11:35 |
quaid | otherwise we are passing on accountability that we cannot pass on! | 11:35 |
f13 | agreed | 11:35 |
ctyler | +1 | 11:36 |
spot | +1 from me (obviously) | 11:36 |
skvidal | +1 | 11:36 |
notting | +1 | 11:36 |
mdomsch | +1 | 11:37 |
stickster | f13: Can you own the task of starting and collecting that discussion? | 11:37 |
stickster | we really need to get to the Q&A, guys. | 11:38 |
f13 | stickster: yeah, I'll take it. add it to the ever growing list of doom. | 11:38 |
spot | the answer to all of the pending questions is: thinly sliced lunch meat | 11:39 |
stickster | OK, anything more on this? Let's move on if not | 11:39 |
f13 | damnit, now i'm hungry | 11:39 |
* poelcat notes that wraps up previous business | 11:39 | |
poelcat | back to you stickster | 11:39 |
stickster | Q&A time | 11:39 |
stickster | spevack: Go! | 11:39 |
stickster | :-) | 11:40 |
spevack | ok. | 11:40 |
spevack | we have a number of questions. | 11:40 |
spevack | there are a few about the infrastructure stuff. | 11:40 |
spevack | so give me a moment to paste them all in, and then you can sort of answer from different bits | 11:40 |
spevack | since there will be some overlap | 11:40 |
spevack | the first was from vallor: | 11:40 |
spevack | "I'm sure one of the questions on everybody's mind is the status of "Infrastructure" -- and are the rumors true that the bogusly-signed openssh packages were trojaned? (Max edit: we asked for some clarification and the response follows) I'm referring to anything and everything in the incident where systems were compromised -- and if that flows slightly into RHEL space, I think it is only prudent to explain that part of the incident, too." | 11:40 |
spevack | 11:41 | |
spevack | the second from lwnjake and nirik: | 11:41 |
spevack | "also, when might we find out more about exactly what happened to the infrastructure?" | 11:41 |
spevack | 11:41 | |
spevack | and the third from rdieter: | 11:41 |
spevack | "another hard ball, why wasn't the board informed of anything? (afaik, they're as much uninformed as anyone). or so says mr. spoleeba" | 11:41 |
spevack | 11:41 | |
spevack | that's all the infrastructure questions we have right now. | 11:41 |
f13 | I can take the last one | 11:41 |
spevack | there's two others on different topics | 11:41 |
* spevack goes silent | 11:41 | |
f13 | A few board members became aware of what was going on, due to other roles played by those board members. | 11:41 |
f13 | Some of these people were Red Hat employees, others were under a Red Hat NDA for various other reasons. | 11:42 |
stickster | The Board has no NDAs with Red Hat. | 11:42 |
stickster | Sorry, the people on the Board who are volunteers -- | 11:42 |
stickster | and have no prior formal relationship with Red Hat -- | 11:42 |
stickster | don't have any NDA. | 11:43 |
quaid | ! | 11:43 |
f13 | when it became apparent that the breakin effected Red Hat itself, and not just Fedora infrastructure, Red Hat asked for no further discussion with anybody else, unless it was approved by the people workign the issue | 11:43 |
skvidal | stickster: not the ndas would have helped in terms of disclosure... | 11:43 |
f13 | my assumption was because we at that time had no idea who had broken in and did not want to divulge any information that would leak to the wrong ears. | 11:43 |
quaid | f13: not only fair but smart assumption | 11:44 |
f13 | for better or worse, I and the other board members who were "in the know" followed that request and did not further inform any other board members | 11:44 |
f13 | people were brought into "the know" based on what we needed from them on individual issues | 11:44 |
spoleeba | so how do i feel about that..as being a non-NDA'd Board member... | 11:44 |
mdomsch | and even then, the extent of "in the know" varied person-to-person by their duties | 11:44 |
quaid | I was personally totally unsurprised that I was kept in the dark nearly the entire time the whole world was. | 11:45 |
stickster | As is true of all security investigations, progress reports are somewhat closely contained. | 11:45 |
spoleeba | im not signing an NDA just to be on the board | 11:45 |
f13 | It's pretty easy to tear this apart post-incident, but in the heat of the moment it did not seem prudent to strain the Fedora/RH relationship by blatingly ignoring requests. | 11:45 |
quaid | since I have no role in Fedora or RHT that puts me in touch with infrastructure | 11:45 |
f13 | now, had we thought of it, we likely could have gotten approval to inform the full Fedora board of what was going on, and kept them in formed. | 11:45 |
quaid | I expected that the IT professional colleagues and community members were doing the right thing. | 11:46 |
spot | On question 1: No "bogusly-signed" Fedora packages were distributed via any official mechanism. No "bogusly-signed" RHEL packages were distributed via any official mechanism (RHN). | 11:46 |
f13 | the question really is "what value would that have added" other than having more people who could not/should not tell anybody else. | 11:46 |
quaid | f13: +1 | 11:46 |
spoleeba | I think we can do a lot just by having a generally useful infrastructure incident plan..with known interaction points with Red Hat | 11:46 |
stickster | f13: I did think of it, but it was simply not possible given the sensitivity of the investigation. | 11:46 |
quaid | f13: I was hapy to not know because it wasn't my job to be in the know. | 11:46 |
f13 | stickster: fair point. | 11:46 |
quaid | spoleeba: +1 that is a great shakeout from this | 11:46 |
quaid | obvious holes in our communication plan, etc. | 11:46 |
quaid | but only after the fact | 11:47 |
f13 | absolutely | 11:47 |
quaid | how do you know is too much or too little for community folks? | 11:47 |
f13 | lmacken has agreed to work on an incident response plan | 11:47 |
quaid | to be honest | 11:47 |
mdomsch | if it had been solely a Fedora thing, we would have treated it differently I'm sure | 11:47 |
quaid | if we sent out the same thing each day, it would have been appreciated, aiui | 11:47 |
quaid | mdomsch: +1 | 11:47 |
stickster | And we do have to understand that there are still places where our project touches what is essentially a commercial entity, Red Hat. | 11:47 |
f13 | mdomsch: I think so too. Fedora isn't legally responsible to a number of customers (: | 11:47 |
skvidal | mdomsch: _maybe_ | 11:47 |
quaid | stickster: same is true in other cases | 11:47 |
quaid | what if something had happened at a hosting provider that has Fedora boxen? | 11:48 |
skvidal | mdomsch: Given what I've understood after the event | 11:48 |
quaid | we would have been in the same situation | 11:48 |
stickster | Our incident response plan will need to recognize that in some situations there are going to be decision points that lead into Red Hat where we can't dictate how every detail will run | 11:48 |
stickster | Although we can set the stage -- | 11:48 |
skvidal | I'm not at all clear that we could have announced the status of things if it were purely a fedora intrusion | 11:48 |
skvidal | not w/o clearance from red hat legal, at the least | 11:48 |
spoleeba | stickster, and in the future.. possibly not Red Hat...if we have donated infrastructure services from other companies | 11:48 |
stickster | -- by setting up reasonable expectations internally and externally for how to communicate incidents like this. | 11:48 |
ctyler | I don't think anyone really minded being in the dark, but it seemed like a long time to be in the dark, especially with production systems out there | 11:48 |
f13 | skvidal: you make a good point, and I think every incident will be different and have slightly different results | 11:49 |
spot | ctyler: it takes a LONG time to audit everything in cvs. | 11:49 |
skvidal | f13: I think from here on out we can expect a lot more scrutiny in public announcements of anything like this | 11:49 |
skvidal | that's just my impression, though | 11:49 |
quaid | ctyler: I guess what bothered me during and after was the presumption that Fedora leadership had left community members high and dry in an effort to save RHT's bacon. | 11:49 |
skvidal | quaid: we left community members b/c we had no choice in the matter | 11:49 |
skvidal | wait | 11:49 |
skvidal | I'm wrong | 11:49 |
f13 | ctyler: it's pretty hard not to infuse somebody with a false sense of security, while at the same time not infusing them with a false sense of insecurity | 11:50 |
skvidal | our choices were 'do not talk about it or be in breach of contract' | 11:50 |
mdomsch | quaid, I'm not sure how common that perception i | 11:50 |
mdomsch | is | 11:50 |
quaid | mdomsch: it's what Byfield's article is around | 11:50 |
mdomsch | AFAICT, people "in the know" worked their tails off to protect our end users - our #1 priority | 11:50 |
stickster | I tried not to take any presumptions personally. | 11:50 |
quaid | total ignorance of IT practice in favor of freaking out about Red Hat. | 11:50 |
ctyler | But there's a difference between software that just says "please wait" and software that says "please wait" and has a spinning icon so you know it hasn't crashed | 11:50 |
spevack | stickster: there are a number of follow-ups whenever you are all ready for them. | 11:51 |
ctyler | we need the spinning icon | 11:51 |
quaid | but anyway, that's an old and dull adze. | 11:51 |
spot | spevack: okay, lets hear those follow-ups | 11:51 |
quaid | ctyler: ok, fair; even daily repeats of previous announcements is better than nothing. | 11:51 |
f13 | have we sufficiently hit the first 3 questions? | 11:51 |
spevack | i think you have. and the follow-ups will provide more opportunity. | 11:51 |
spot | well, i answered Q1. | 11:51 |
skvidal | f13: there's still a little un-kicked horse, I'm sure | 11:51 |
spevack | so let me paste that all in. | 11:51 |
spevack | and then give it back to you guys | 11:51 |
spevack | 11:52 | |
spevack | 11:52 | |
f13 | k | 11:52 |
stickster | I think a lot of people were frustrated about the lack of information, or the timing, and I truly sympathize. | 11:52 |
spevack | 11:52 | |
spevack | vwbusguy: "I'd like to know what security changes in regard to the repos / updates and stuff, if any other than the key change, if it hasn't been discussed yet" | 11:52 |
spevack | 11:52 | |
spevack | LyosNorezel: "why is RH's blanket restraint order still in effect? the problem's over... no? why not give a detailed explanation?" | 11:52 |
spevack | 11:52 | |
spevack | vallor: "sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board security have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other?" (Max edit: it was mentioned already that fedora-board-list @ redhat.com is private to just the Board.) | 11:52 |
spevack | 11:52 | |
spevack | go at it | 11:52 |
spot | LyosNorezel: the investigation is _still_ ongoing. | 11:52 |
stickster | As for #2, it's *not* over. | 11:52 |
skvidal | spevack: it's an ongoing investigation - the problem is not resolved | 11:52 |
* quaid votes that stickster give the first set of answers this time | 11:52 | |
f13 | #1) we've had a number of chagnes coming up that were unrelated to the break in | 11:53 |
stickster | vwbusguy: The changes you're seeing are all happening openly and transparently. | 11:53 |
f13 | gpg signing of repodata, a more secure signing server, and better signing practices had all been under discussion before the breakin, and made more important because of the break in | 11:53 |
stickster | No one is trying to make changes to Fedora on the sly. Period, full stop. | 11:53 |
* mdomsch is amazed, and proud, that the Fedora Infrastructure team could rebuild _every single box_ in a week, to ensure they were all clean | 11:54 | |
spevack | stickster: also, nirik has mentioned that he does not feel that his and lwnjake's initial question was addressed. It was (paraphrasing) "when will we find out more about what happened?" | 11:54 |
skvidal | mdomsch: I don't think that's really at issue | 11:54 |
f13 | vallor: lmacken is part of the Fedora security SIG and he's the primary driver for the incident response plan. | 11:54 |
f13 | vallor: the plan will be developed in teh open and will be open to comment if you'd like to participate. | 11:54 |
mdomsch | skvidal, it was part of the recovery plan | 11:54 |
f13 | Unfortunately we'll find out more when ... we find out more. | 11:54 |
stickster | vallor: And I think we'd continue to use fedora-board-list for any such conversations, with the understanding -- as always -- that we try and use it as little as possible, and keep discussions open and transparent to the maximum extent. | 11:55 |
skvidal | mdomsch: 'recovery plan' might be a bit strong of a statement | 11:55 |
spevack | f13: vallor asks me to give you his thanks. | 11:55 |
skvidal | mdomsch: I mean the plan was more or less 'pull back nuke everything from orbit' | 11:55 |
f13 | the investigation is still ongoing, and while I don't have any knowledge of it, I wouldn't be surprised if there is law enforcement involved somewhere. | 11:55 |
mdomsch | granted | 11:55 |
skvidal | mdomsch: we opted to scorch the earth rather than second guess | 11:55 |
stickster | skvidal: With which plan I was in 100% agreement. | 11:56 |
spot | lwnjake: when we're told that we can by the parties running the investigation, not a second before, and not a second later. | 11:56 |
skvidal | right - but a plan with 1 step is not quite a plan :) | 11:56 |
* stickster +1's spot. | 11:56 | |
* spot would like to point out that Byfield's chicken little attitude is really irrational. No other FOSS publicly traded company (note that I said company) has ever had to deal with anything like this before. | 11:57 | |
spot | yeah, it wasn't as good as it could be, but in true FOSS fashion, we're taking lots of notes and submitting patches | 11:58 |
skvidal | spot: it would be nice to get something resembling a status update from folks internal | 11:58 |
skvidal | spot: I agree with that concern, entirely | 11:58 |
spot | it would be nice, and hopefully we'll have something new soon. | 11:59 |
spevack | stickster: when the Board is ready, there are two additional questions on different topics. | 11:59 |
spevack | then i'll start looking for other follow-ups in the public room | 11:59 |
stickster | Anything else on the intrusion matter? | 12:00 |
stickster | If not, fire away spevack! | 12:00 |
spevack | ok | 12:00 |
spevack | vallor: "sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board security have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other?" (Max edit: it was mentioned already that fedora-board-list @ redhat.com is private to just the Board.) | 12:00 |
spevack | wait, wrong paste | 12:00 |
spevack | i already did that one | 12:00 |
spevack | 12:00 | |
spevack | 12:00 | |
spevack | 12:00 | |
spevack | bryan_kearney1: I would like to get feedback on the AOS Trademark request (Max edit: What is AOS, for those who don't know? Also, bryan is referring specifically to the SELinux question, and the "minimal set of technical requirements to call something fedora" question) | 12:00 |
stickster | AOS is appliance operating system I think | 12:01 |
f13 | we just spent 20 minutes arguing about that earlier in the meeting | 12:01 |
f13 | one problem with "release early, release often" when it comes to policy is that sometimes we're not ready :/ | 12:01 |
spevack | f13: bryan is typing a modified/follow-up question right now | 12:01 |
spevack | hang on | 12:01 |
spoleeba | f13, does the version he recently submitted with selinux set to permissive work for you..until the new trademark policy and its technical measures go into effect? | 12:02 |
stickster | Bryan has been actively partipating in the TM guidelines stuff, partly because it directly affects a projet on which he's working | 12:02 |
f13 | also, a lot of discussions got put to the side when the "incident" happened, and we're slowly bringing things back into the foreground | 12:02 |
spot | bryan_kearney1: congratulations! you have stumbled into an unimplemented section of the map. beware of grues. we're scribbling as fast as we can. ;) | 12:02 |
spevack | while we wait for bryan's follow-up, here's the other question: | 12:02 |
spevack | 12:02 | |
spevack | 12:02 | |
spevack | inode0: less touchy I think question: why no new installation media? seems a large pain to install systems with keys that we need to replace after installation?! (Max edit: rdieter says this was possibly addressed in rel-eng meetings.) | 12:02 |
f13 | spoleeba: maybe? I honestly haven't taken a moment to look at it, I've been entirely focused on getting updates out to users once again. | 12:02 |
f13 | oh, and beta. | 12:02 |
stickster | OK, let's answer John's question. | 12:03 |
spot | <nirik> inode0: because that doesn't help any of the already burned media out there, and for doing something like 9.1 there would be export approval/legal to go thru | 12:03 |
f13 | We decided not to respin media because the content on the media is verified via other means than the keys on teh packages | 12:03 |
stickster | I think the human-power cost of this is far too high vs. the current plan. | 12:03 |
f13 | and that there was already a rather large amount of pre-mastered media out in the wild, that there was no real good reason to invalidate | 12:03 |
spoleeba | f13, right... right... i realize.. im just saying that for in the meanwhile if his new kickstart is okay...then we should bless that for F10 timeframe | 12:03 |
quaid | spoleeba is correct | 12:03 |
f13 | spoleeba: it's on my list to look at. | 12:03 |
quaid | f13: thanks | 12:04 |
quaid | that's the blocker since we have no guidelines in place :D | 12:04 |
spevack | 12:04 | |
spevack | bryan_kearney1: AOS spin is still awaiting trademark approval, with selinux enabled (--permissive). We need additional feedback. I made changes per the feedback I got, and have gotten no new feedback | 12:04 |
spevack | 12:04 | |
notting | 'see the minutes from earlier in the meeting'? | 12:04 |
spoleeba | f13, as to media... are we going to leave the new release rpm with the new key..signed with the old key..up until F9 eol? | 12:04 |
f13 | we verified that the content on the media is good, we're going to re-sign the SHA1SUM file with the new key, and we're preparing our repos and mirrormanager so that fresh installs from those media will only ever hit our mirrors (the ones we control) for the updates, which will get them the transition bits to point them to the newly signed content. | 12:05 |
spot | please hold, while we determine what the minimum technical requirements will be (once we receive them from the Spins team). | 12:05 |
f13 | spoleeba: that is the plan. The repo will hold that and the PK updates and only those. Mirrormanager will force all requests to those repos into mirrors we control. | 12:05 |
spoleeba | f13, excellent... so a very small mirror pool specifically for those updates | 12:05 |
f13 | yes | 12:06 |
spoleeba | f13, yeah mirrormanager! | 12:06 |
mdomsch | spoleeba, d.f.r.c isn't really a small pool :-) | 12:06 |
spevack | stickster: there are currently no other questions queued up | 12:06 |
spoleeba | mdomsch, small is relative | 12:06 |
stickster | bryan_kearney1: to add to what notting said, I think you're seeing the effects of many of the parties involved being wrapped up in the work to get F8/F9 updates back on the horse | 12:06 |
quaid | question: | 12:07 |
quaid | what is going on with secondary marks? | 12:07 |
* quaid waits to see if that question is clear enough :) | 12:07 | |
mdomsch | quaid, the guidelines call for a new secondary mark | 12:08 |
mdomsch | "Powered by Fedora", "Derived from Fedora", something like that | 12:08 |
stickster | There are three questions -- Can we have one? What can it say? What does it look like? | 12:08 |
spoleeba | mdomsch, i seem to remember this discussion happening before..way way way back wehn | 12:08 |
notting | it has happened before. | 12:09 |
mdomsch | and will again | 12:09 |
stickster | So far, the answers I have, from talking with Red Hat Legal, are (1) Probably, (2) Not sure yet, (3) Not sure yet. | 12:09 |
mdomsch | stickster, but we could get the artwork team to start 3) | 12:09 |
f13 | am I watching a BSG episode? | 12:10 |
spoleeba | mdomsch, i could suggest a briefcase with an infinite symbol on it...oh wait..nevermind | 12:10 |
stickster | Well, it's very possible we can use the existing mark as *part* of the secondary mark. | 12:10 |
mdomsch | f13, she was boxed | 12:10 |
stickster | i.e. "Based on Fedora." | 12:10 |
stickster | Current legal minds are telling me that's not necessarily verboten. | 12:10 |
spoleeba | stickster, i like these new legal minds | 12:11 |
mdomsch | "Fedora Inside" | 12:11 |
mdomsch | + chimes | 12:11 |
stickster | Something tells me they won't be nearly as happy about a secondary mark that infringes another trademark :-D | 12:11 |
mdomsch | stickster, spoleeba +1 | 12:11 |
stickster | So until we know what text we can use, and whether we can use the official logo, as part of the secondary mark, starting a design process is probably premature | 12:12 |
quaid | so this is a depedency on these trademark guidelines being finished. | 12:13 |
stickster | Especially if it comes down to, "Sure, use 'Based on Fedora'" with the official logo in XX specific configuration | 12:13 |
ctyler | so eom+art team? | 12:13 |
stickster | Because that art design will probably take about 5 minutes. | 12:13 |
stickster | In fact, I already did one myself. | 12:13 |
* mdomsch gets out fingerpaints | 12:13 | |
ctyler | uh oh | 12:13 |
stickster | (but will leave it to real artists and not dilettantes like myself) | 12:13 |
stickster | ctyler: I really, really hope so. | 12:13 |
quaid | this rolls back a bit to the AOS question | 12:14 |
stickster | So quaid +1, the guidelines need to be finished. | 12:14 |
stickster | Meaning that if there's a further dependency on technical guidelines, those need to be done pronto. | 12:14 |
quaid | the AOS with SELinux removed could use the secondary marks ... if they exist in the future. | 12:14 |
stickster | FESCo discussed this in their recent meeting too. | 12:14 |
stickster | sorry, indefinite "this" | 12:14 |
stickster | FESCo discussed technical Spin requirements in their recent meeting too. | 12:15 |
stickster | We should make sure that we, as the Board, are working in coordination with FESCo | 12:16 |
* stickster ponders. | 12:16 | |
stickster | If it's super-duper easy for anyone to use the secondary mark, and that secondary mark is a great pointer to the official project... | 12:17 |
stickster | Why will people want to bother with the primary mark? | 12:17 |
stickster | That's a rhetorical questions. | 12:17 |
stickster | *questions | 12:17 |
* stickster gives up and shoots typist. | 12:17 | |
ctyler | stickster has quit (Shot) | 12:17 |
stickster | heh | 12:17 |
stickster | OK, traffic has died, I think spevack fell asleep listening to me ramble, and there may be an empty question queue. | 12:18 |
stickster | spevack: Shall we call it? | 12:19 |
spoleeba | stickster, congratz you have just completed the full discussion about the value and danger of the sencondary mark..all inside your own head | 12:19 |
spoleeba | stickster, you will fail to sleep this evening | 12:19 |
f13 | stickster: you mean like the debian official mark vs the one everybody actually uses? | 12:19 |
stickster | f13: That's precisely why I like the idea of embedding words in the mark. | 12:19 |
* f13 too | 12:20 | |
spevack | stickster: sure | 12:20 |
f13 | I think it's a worry, but something we'll just have to deal with | 12:20 |
f13 | by continuing to make things marked with the official mark relevant and exciting to use | 12:20 |
mdomsch | It's more likely official spins with the full mark will get hosting from the project? | 12:20 |
spevack | stickster: one last thing | 12:20 |
spevack | stickster: then the queue is empty | 12:20 |
f13 | and if our best competition comes from outselves, isn't that a good ting? | 12:20 |
stickster | spevack: Oh no, that's always a bad sign. | 12:20 |
spevack | < herlo> spevack: Not sure if this is applicable to the previous | 12:20 |
spevack | discussoin in the board but, So the patches that have been | 12:20 |
stickster | :-D | 12:20 |
spevack | made and fixes that were applied to the infrastructure, did | 12:20 |
spevack | they help in solving this issue? | 12:20 |
spevack | ugh, sorry for the bad formatting | 12:20 |
f13 | mdomsch: I'm almost of the opinion that only things hosted/produced officially by the project get the full mark, but I haven't fully thought that out yet. | 12:21 |
spot | OUR MAGICAL FAIRY SHIELD NOW PROTECTS US FROM ALL INVADERS, FOREIGN AND DOMESTIC. | 12:21 |
f13 | spot: that's a +3 FAIRY SHIELD mind you | 12:21 |
stickster | We believe that the changes we've made did help, yes. It would be silly for us to claim we're now 100% IMMUNE from bad peeplez | 12:21 |
stickster | -- but -- | 12:21 |
f13 | many of the changes we made will help us to recover from future attacks | 12:22 |
stickster | as all security practitioners know, security's a process, not an end state | 12:22 |
spot | +3 FAIRY SHIELD HAS A +1 AGAINST TROLLS | 12:22 |
f13 | leaving us less with our pants hanging down | 12:22 |
f13 | so that next time, we may not have to nuke from orbit and spend a month trying to get updates out again | 12:22 |
ctyler | f13: So then a spin with the full mark could use the Fedora infrastructure for spin distribution? That's a reason to aim for it over the secondary mark. | 12:22 |
* spevack has nothing else from #fedora-board-public | 12:22 | |
spoleeba | mdomsch, i think im firmly in the camp that we are going going to be officially hosting spins which go through the release process..regardless of primary/secondary mark | 12:23 |
stickster | OK, let's call it. | 12:23 |
f13 | cable guy is here, I'm out. | 12:23 |
stickster | You heard the man. | 12:23 |
stickster | </meeting> | 12:23 |
stickster | Board members, thank you for being here. | 12:23 |
stickster | Community, thank you even more for being here. | 12:23 |
ctyler | stickster, spevack, thank you both. | 12:24 |
spoleeba | we need to move this to a time so I can be drinking heavily while in this meeting | 12:24 |
spevack | my pleasure guys | 12:24 |
stickster | spoleeba: It's always happy hour somewhere. | 12:24 |
stickster | spevack: Thank you my friend | 12:24 |
* stickster hopes he can bend poelcat's arm to do summary/log | 12:24 | |
-!- stickster changed the topic of #fedora-board-meeting to: Next public Board meeting: TBA | 12:28 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!