Announcing people.ubuntuwire.com and qa.ubuntuwire.com

Stephan Hermann sh at sourcecode.de
Tue Nov 13 20:37:48 GMT 2007


Hi Matthew and others,


Matthew East wrote:
> Hi,
>
> On 13/11/2007, Scott James Remnant <scott at ubuntu.com> wrote:
>   
>> On Tue, 2007-11-13 at 04:00 -0600, Brandon Holtsclaw wrote:
>>
>>     
>>>> The existing people.u.c could then be moved to people.canonical.com,
>>>> which as per the previous thread on this subject is probably a more
>>>> coherent place for it;
>>>>         
>>> The ONLY problem i see with this is migrating existing things like
>>> ~ubuntu-archive to either people.canonical.com or
>>> people.ubuntuwire.com, people.ubuntuwire.com dosent support team urls
>>> atm ( but i'm sure if that was a deciding factor it could be added )
>>>
>>>       
>> Speaking only for myself here, so don't take this as any kind of
>> official response, but in the light of the recent compromise of
>> community-hosted Ubuntu machines -- this would not seem to be wise idea.
>>     
>
> This sounds like a valid point to me.
>
> However, given that the previous compromise was of *community* hosted
> servers living outside the *.ubuntu.com domain, this is really an
> argument against having the ubuntuwire resources on anything other
> than Canonical administered hosting in the first place, rather than an
> argument against pointing an *.ubuntu.com domain at them.
>   
Well, this is not the right term.
Those servers were Canonical Sponsored, but community administrated.
This was really a pain, to explain people, that not Ubuntu (as OS) but
the sysadmins were at fault.
Actually, this can happen with any other linux distro,
but the main point was "It was Canonical Sponsored and Ubuntu powered".

> The bad publicity came out of the fact that the compromised servers
> were running Ubuntu and/or (however loosely) associated with Ubuntu. I
> think we have to recognise that if this happens again (e.g. to the
> ubuntuwire servers, for whatever reason), the fact that it's hosted on
> unofficial servers won't prevent there from being negative publicity.
>   
Well, this is also not true. The  public problem was, that the PR
department of Canonical didn't reacted in the right time and not with a
public bang. A big news report with "Canonical and Ubuntu are not at
fault, but sysadmins are" would have been better these days. I know
this, because I had the same discussion in my company, why I'm
installing such an insecure system.
Crap.
> There is a balance to be sought between the risk of negative
> publicity, the importance of the services provided, and the burden on
> Canonical in administering such services.
>   
There is no burden for Canonical, TBH.
Canonical is not offering public services like shell accounts on any
Canonical hosted machines.
But any other machine, provided by someone else, with an  Ubuntu name
tag on it, shouldn't do this either, because the problem of the "Ubuntu"
brand is there. If something happens, it's a real pain with  bad
publicity. The people are not  interested, that  those machines are not
running under the Canonical flag, but they will think that Ubuntu is
insecure, and therefore it's really bad for the Canonical business,
selling commercial services for Ubuntu.

I think a different name for those machines is much better then Ubuntu
wire... let's call it MOTUwire or whatever != ubuntu.
> As for the last point, I wonder whether there is any possibility of
> establishing a process by which community members (such as the
> ubuntuwire team) can take part in Ubuntu system administration tasks
> after going through a certain amount of quality assurance in the same
> way that they can obtain commit access to the Ubuntu repository. I
> have no idea to what extent that would be doable but it strikes me as
> an interesting idea, at least in the long term.
>   
Well, having a gpg key + ssh key on our launchpad accounts, and thinking
of being member of a team, it should be possible to give access, to
anyone authorized against LP,  to machines e.g. via VPN access.
The problem, and this is why most companies don't do this, is, that even
a member of the Ubuntu Community Developers could be an  a**hole and 
putting the machine into a spam machine or could do some other things to
it.
Having this said, you have to trust people, and when I'm responsible for
machines in my datacenter, I would only trust people who I pay and/or
who are signing a contract that they are fully responsible for their
doings. So if  I can fingerpoint to someone who  compromised my server
(in what way ever), he will be punished by law or whatever.
I don't think, that many of us will sign such a contract just for a hobby.
And thinking about my own experience, being a sysadmin, I wouldn't do
this at any time.

Regards,

\sh



More information about the ubuntu-devel mailing list