[ubuntu-hardened] Leading situation and future of Ubuntu Hardened and Hardened Debian (leaving).

Jamie Jones jamie_jones_au at yahoo.com.au
Sun May 1 10:29:53 CDT 2005

On Sat, 2005-04-30 at 23:44 +0200, Lorenzo Hernández García-Hierro
> Hi,


> First, and trying to make this the disclaimer that applies the rest of
> this email, I want to note that there's no intention for creating a
> flame war nor spreading any other type of malicious (dis)information.
> As a little introduction to the background of this email, I will talk
> about my activities and procedures as the Ubuntu Hardened and Hardened
> Debian lead (even if it's not well advised in some places, creating some
> confusion around who cares of the goals, desires, head development and
> leading politics of the projects, for the good and the bad, taking the
> *not imperative at all* responsibility of *any* result, desired or
> undesired, expected or unexpected).
> I've been trying to communicate as better as possible with the
> "official" developers and communities behind Ubuntu Linux and Debian,
> trying to coordinate the work and organizing it for ensuring a good work
> conditions, and the Q/A.
> Mostly, I've been doing development, more than politics, as it's
> something that happens usually, that people can talk too much and say
> too less, and even lesser work. That is, vaporware, not clear ideas with
> an end date.

Thank you for your work so far. I have found it to be very useful.

> During the development and work within Hardened Debian, good and bad
> things happened. We lived with them and we were taking care as better as
> possible (thanks for Andrew Dobbie and the other people who helped and
> made those bad times less heavy to handle), and putting attention in a
> project which was growing up quickly, and making a brilliant
> approach, that was Ubuntu Linux for us.
> Thus, due to the nonexistence of any collaboration and coordination with
> any Debian developer (and the negative or pretty inaccurate feedback in
> certain cases), I toke a personal decision, by starting a "fork
> project", Ubuntu Hardened, moving the work done in Hardened Debian and
> deploying it in Ubuntu Linux as best we could do it (I must say
> that there was a great welcome for it, and I must thank Martin Pitt for
> it, at first place).
> Now, things are slightly different. Before the UDU started, that is, 1
> month before, I was working out the tasks for the SELinux herd. I did
> the 90% of the work in a weekend, among the other Ubuntu Hardened tasks
> like fixing, checking and releasing the libssp packages,
> designing and organizing the project itself, doing plans on the IBM
> SSP/ProPolice deployment, doing a little porting job to make it
> available for GCC 4.0 as of Breezy needs, thinking
> that it might be the first time that we (Hardened Debian/Ubuntu
> Hardened) get something *really* accepted and deployed. There was a
> feeling of having things well-done and having a good feedback.
> But later things changed. UDU started. I couldn't attend because of
> economical and personal reasons, thus, leaving the BOF sessions to other
> people that I was trusting to make good decisions. Seems that I was
> wrong.
> The information provided was completely inaccurate, the decisions are
> worthless in my opinion (and I have strong reasons to have such
> opinion), the subjects were incomplete and the credit of my work was
> *missing*. The information was out there, I just can't give *all done*,
> sometimes people need to work out their stuff at their own.

I am intrested in your opinion, would you mind elaborating on them. I do
agree that the subjects are incomplete. When I attended I mentioned that
you were doing the ssp stuff (For those of you who attended, it was in
the first proactive security bof, I couldn't remember Lorenzo's full
name) I didn't get the feeling that many of the people attending were
security experts, but at least it is a start.

> Let's take a look: SSP won't be accepted and not deployed at all (after
> the work that has been done since the start) just because it won't be
> accepted upstream. Well, that wouldn't be a problem if, there's not a
> decision of deploying arbitrary patches in the Ubuntu kernel packages,
> that may (and I tend to believe that they *will*), just to add *some
> security enhancements that were proposed to upstream and never got
> accepted*.

I did argue for ssp in main (proactive security bof), but was told no
because upstream won't take it (I was a bit late, but that was a quick
decision!). The only compromise I got was that a gcc with ssp patches
could be provided in universe. I would like to use your gcc ssp work in
a derivative, if you are still intrested in continuing your ssp work.

> I asked. The reply was just that the kernel team knows what they do. I
> also know what I do on the SSP deployment, and also about the patches
> that I developed and *being asked* to write.
> That's not the only one thing. Also, there was no credit at all of my
> work, or at least, the public information of UDU shows that. I don't
> reclaim it, but it would be polite to credit the work of someone
> that wanted to help and invested *many* time to finish up things quickly
> and well-done. I was also asked to port the kernel helpers of SSP to
> other architectures (it was only available for i386, and currently it's
> not tested yet), before the UDU and the "decisions" were taken (among
> that I still don't know about what decisions resulted of the SELinux
> BOF, if there were even taken, without mention to the Proactive Security
> BOF), so, what I do, after "wasting" my time while working on it
> (http://pearls.tuxedo-es.org/patches/ssp-propolice/propolice_kernel_helpers.patch),
> if someone decided to *discard* it with no visible reason and
> announcement. After I complained about this, the reply was again
> worthless: walk in our way or walk in yours and live alone. Sorry of
> walking in my own way, but I won't go in a wrong way, if you want to
> blindly walk to the failure, do it. But don't ask me to follow you.

I understand. I've read the website report (proactive security only) and
it seems to me that the decisions taken were not all taken with
proactive security in mind. I disagree with both comments on the page as
they seem to not grasp the proposed security features (actually I don't
quite understand what furryball's last statement is, but I think he's
saying I'm wasting my time). Perhaps I can join you for a while along
your path ?

> Because of all of these issues, and other ones that I prefer to don't
> talk about (such as the obvious prejudices and aversion of some third
> parties, due to worthless and meaningless reasons), I've decided to
> leave the projects, as there's nothing good coming from them, for an
> undefined period of time, and until the situation gets clear and the
> issues solved. Don't think I'm giving up, just think that I'm going to
> *not* take part of a mess for no good reason. It's something not on
> my list of goals. There's a lot to help out there, and a lot to choose.
> At least I've learnt that, instead of investing my time in a fight with
> no good end, it's better to stay away and become a spectator of the doom
> or the success, and give help out only when someone comes up with an
> honest and worthy question.

Will you continue to remain on list ? I'd like to discuss with you
security features, and the relative merits of different solutions.

> "Prudence, indeed, will dictate that Governments long established should
> not be changed for light and transient causes; and accordingly all
> experience hath shewn, that mankind are more disposed to suffer, while
> evils are sufferable, than to right themselves by abolishing the forms
> to which they are accustomed."
> (The Declaration of Independence, July 4, 1776)
> http://www.archives.gov/national_archives_experience/charters/declaration_transcript.html
> My best wishes to all who helped, giving continuously their feedback and
> opinion, critics and feelings about how things were going on. Also, my
> best wishes to Ubuntu Linux, Debian and all the people involved in it's
> development.
> Thanks to all.
> Cheers.

Again, thank you for your work.

GPG/PGP signed mail preferred. No HTML mail. No MS Word attachments
PGP Key ID 0x42E2C1E5
Fingerprint 3C77 9621 84C5 C32F D409 A38D A035 7E65 42E2 C1E5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050502/02a44624/attachment.pgp

More information about the ubuntu-hardened mailing list