On Thu May 15 2008 06:20:10 Thijs Kinkhorst wrote: > You mean less likely than once in 15 years? We're open to your suggestions.
Leaving millions of systems open to crackers for 2 years out of 15 is not a joke. I don't blame the DD - we have all made mistakes and most of us are lucky they weren't this serious - but we should blame the process. And fix it. The notification process, with the fix in the archive long before users were notified, failed to live up to Debian's usually high standards. The delay in getting some of the fixes into Testing may also be an issue. The rollout of information and updates was appalling - even adding in the material from Ubuntu the information was piecemeal and inadequate to properly secure systems within the limited time before crackers might be expected to have exploits. The vulnerability scanner didn't handle keys in many forms (e.g. Apache keys) and gave false negatives because it doesn't use ~/.ssh/config to check the correct port in the common case where ssh is running on a port other than 22. In the wonderful light of hindsight, it would probably have been better to devote less effort to the scanner and more effort to documenting all the kinds of key replacements that are needed, and to simply assume that all keys are potentially compromised. Serious efforts are needed on two fronts. Second, we must ensure that nothing like this ever happens again. This calls for a thorough investigation and carefully updated policies and procedures. It will take a while to do properly. It must be apparent to both the Debian community and the world that the effort is authoritative, sincere, and open. But first we must carefully avoid any communication, however intended, which might be construed as a flippant attitude to this disaster. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
