[ubuntu-hardened] Leading situation and future of Ubuntu Hardened and Hardened Debian (leaving).

[Brandon Hale]

Since I feel that a number of points here seem to be aimed at me, I
think I should respond to some of them. Can we *please* stop cross
posting? (again.)

On Sat, 2005-04-30 at 23:44 +0200, Lorenzo Hernández García-Hierro
wrote:
> Hi,
> 
> First, and trying to make this the disclaimer that applies the rest of
> this email, I want to note that there's no intention for creating a
> flame war nor spreading any other type of malicious (dis)information.
> 
> As a little introduction to the background of this email, I will talk
> about my activities and procedures as the Ubuntu Hardened and Hardened
> Debian lead (even if it's not well advised in some places, creating some
> confusion around who cares of the goals, desires, head development and
> leading politics of the projects, for the good and the bad, taking the
> *not imperative at all* responsibility of *any* result, desired or
> undesired, expected or unexpected).
> 
> I've been trying to communicate as better as possible with the
> "official" developers and communities behind Ubuntu Linux and Debian,
> trying to coordinate the work and organizing it for ensuring a good work
> conditions, and the Q/A.

<snip debian history>

> Now, things are slightly different. Before the UDU started, that is, 1
> month before, I was working out the tasks for the SELinux herd. I did
> the 90% of the work in a weekend, among the other Ubuntu Hardened tasks
> like fixing, checking and releasing the libssp packages,
> designing and organizing the project itself, doing plans on the IBM
> SSP/ProPolice deployment, doing a little porting job to make it
> available for GCC 4.0 as of Breezy needs, thinking
> that it might be the first time that we (Hardened Debian/Ubuntu
> Hardened) get something *really* accepted and deployed. There was a
> feeling of having things well-done and having a good feedback.
> But later things changed. UDU started. I couldn't attend because of
> economical and personal reasons, thus, leaving the BOF sessions to other
> people that I was trusting to make good decisions. Seems that I was
> wrong.

You did most of the work in one weekend. Very cool.
This was done as a fork, which is justified, but merging a fork back
into Ubuntu will be piecemeal as you are talking about critical packages
in main.  This means working inside the development process.

Alot of work was done after freeze for hoary, and I remember asking you
to hold off and get involved in spec'ing things for the Breezy cycle.
So far you continued to document your work in the fork. Cool, but we
need a plan on what to do about merging.  Your responses to that work
has been flamebait. You imply that we plagiarize your work, which is
based on the work of others, and that we also clearly link to. Also, you
imply that I do not adequately understand the concepts when I tell you
your patch is too far from the upstream base, or needs to be made
optional.  

For the record, the BOFs in question were run by myself and Andrew
Mitchell for SELinux, then the same for ProactiveSecurity. James Troupe
visited both BOFs as an observer.  The BOF format at UDU was a 45 minute
session where a problem was posed, then the intended solution was
discussed and documented.  

In our writeup of the BOF, which was mostly concerned with technical
tasks to be reviewed, we did (twice) link to your page on the master
wiki, where you clearly credit yourself. We credited neither of
ourselves beyond the wiki keywords used in scheduling.

> The information provided was completely inaccurate, the decisions are
> worthless in my opinion (and I have strong reasons to have such
> opinion), the subjects were incomplete and the credit of my work was
> *missing*. The information was out there, I just can't give *all done*,
> sometimes people need to work out their stuff at their own.

The information was a quick overview of what was discussed.
When you go as far as to say something is worthless, next time state
your strong reasons or keep it to yourself.  The subjects were covered
in about half an hour, and your work was linked.

It is hardly all done, it is done in a fork, and needs merge, review,
and testing in the real distro.

> Let's take a look: SSP won't be accepted and not deployed at all (after
> the work that has been done since the start) just because it won't be
> accepted upstream. Well, that wouldn't be a problem if, there's not a
> decision of deploying arbitrary patches in the Ubuntu kernel packages,
> that may (and I tend to believe that they *will*), just to add *some
> security enhancements that were proposed to upstream and never got
> accepted*.

You are getting two things mixed up here.
For the record, there is an SSP patch against gcc from IBM.  This was
rejected, because it doesn't keep current with upstream gcc, and breaks
packages.  There is no intention of it being merged with gcc at any
point.

Trulux has his own gcc implementation which involves even more intrusive
hooking into the kernel.  This was not discussed at all, as we already
decided to avoid SSP.  The decision was not a personal attack against
trulux or IBM.

> I asked. The reply was just that the kernel team knows what they do. I
> also know what I do on the SSP deployment, and also about the patches
> that I developed and *being asked* to write.
> That's not the only one thing. Also, there was no credit at all of my
> work, or at least, the public information of UDU shows that.

If I want to credit your work in a book I publish, I put the name of
your book in a footnote. Likewise, on the web, I credit you by giving a
hyperlink to your work.

>  I don't
> reclaim it, but it would be polite to credit the work of someone
> that wanted to help and invested *many* time to finish up things quickly
> and well-done. I was also asked to port the kernel helpers of SSP to
> other architectures (it was only available for i386, and currently it's
> not tested yet), before the UDU and the "decisions" were taken (among
> that I still don't know about what decisions resulted of the SELinux
> BOF, if there were even taken, without mention to the Proactive Security
> BOF), so, what I do, after "wasting" my time while working on it
> (http://pearls.tuxedo-es.org/patches/ssp-propolice/propolice_kernel_helpers.patch),
> if someone decided to *discard* it with no visible reason and
> announcement. After I complained about this, the reply was again
> worthless: walk in our way or walk in yours and live alone. Sorry of
> walking in my own way, but I won't go in a wrong way, if you want to
> blindly walk to the failure, do it. But don't ask me to follow you.

Already covered, we reject SSP as a whole.
Dropping one piece of technology doesn't equate to blindly walking to
failure.  I believe what you are paraphrasing from me was meant more in
the vein of "get more involved with our development plans, rather than
pushing me on stuff we already decided not to pursue."

> Because of all of these issues, and other ones that I prefer to don't
> talk about (such as the obvious prejudices and aversion of some third
> parties, due to worthless and meaningless reasons), 

Be more specific here. Claims require reasons.

> I've decided to
> leave the projects, as there's nothing good coming from them, for an
> undefined period of time, and until the situation gets clear and the
> issues solved. Don't think I'm giving up, just think that I'm going to
> *not* take part of a mess for no good reason. It's something not on
> my list of goals. There's a lot to help out there, and a lot to choose.

Since our proposed (not even approved) set of goals on the area conflict
with yours, you are leaving the project.  Fine.

> At least I've learnt that, instead of investing my time in a fight with
> no good end, it's better to stay away and become a spectator of the doom
> or the success, and give help out only when someone comes up with an
> honest and worthy question.
> 
> "Prudence, indeed, will dictate that Governments long established should
> not be changed for light and transient causes; and accordingly all
> experience hath shewn, that mankind are more disposed to suffer, while
> evils are sufferable, than to right themselves by abolishing the forms
> to which they are accustomed."
> (The Declaration of Independence, July 4, 1776)
> http://www.archives.gov/national_archives_experience/charters/declaration_transcript.html

Hold up there dude, you'd better credit all the authors of the
Declaration. They'll get revolutionary on your ass!

:P

I hope that in the future if take such issue with discussions I've held
and documented for your review that you tell me about specific issues,
instead of cross posting a flame, with many issues alluded to but not
substantiated, in a less public venue.  I could have explained to you
the BOF process and you might have felt less that the resulting docs
were incomplete or incorrect.

Thanks,
Brandon Hale