First of all, there's no need to be defensive. I'm on your side! I certainly didn't mean to suggest that anything would be hidden - why would it? I only meant to suggest that the details of this incident (once they are all known) need to be made very public rather than being buried in a mailing list where only us geeks will see it. In fact, it needs to be even more public than the report of the break in was. Why? Because the last news Joe Necktie heard about Debian is that it got hacked. Now I know Debian doesn't own the media, but as Debian users, I think we can all help by pointing out the explanation, once it's given, to every geek news site we can find.
Another poster asked why my confidence was shaken. It's shaken because I guess I thought of kernel.org and debian.org to be among the last places anyone would ever successfully break into, even if that is a tad naive. Linus I think did a fairly decent job of explaining why the kernel.org break in didn't hurt anything, and I believe him, but personally I'd prefer more detail. Debian has said that nothing was damaged here either, and I believe them too, but that's not the question. The question is, does Joe Necktie believe them? I think what would really be reassuring would be a nice report, or audit, or something describing how security works, and have that be a very prominent feature of every open source site. The more people that put their faith in open source software, the more people are going to want to understand how open source sites make sure that open source code is protected from damage. -Jim ----- Original Message ----- From: "Michael Stone" <[EMAIL PROTECTED]> To: "Jim Hubbard" <[EMAIL PROTECTED]> Cc: <debian-security@lists.debian.org> Sent: Tuesday, November 25, 2003 9:01 AM Subject: Re: More hacked servers? > On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote: > >After the Linux kernel server got hacked a few weeks ago, and now this > >successful attack at Debian, my confidence is shaken. I hope we'll see full > >disclosure about exactly what happened and what's being done to prevent it. > > We were up-front in reporting the problem, so why would you suggest we > would hide things later? > > Mike Stone >
