[ubuntu-server] Trying Ubuntu Server in Amazon EC2

Tue Oct 12 04:20:43 UTC 2010

On Mon, Oct 11, 2010 at 10:50:21PM -0400, Scott Moser wrote:
> On Mon, 11 Oct 2010, Eric Hammond wrote:
> 
> > On 10/11/2010 06:24 PM, Scott Moser wrote:
> > > It is in the FAQ.
> >
> > I'm probably sounding like a broken record to you, but as a general rule, I
> > don't believe that people read documentation when it looks like they can
> > accomplish what they want without it.  Best to not have surprises or confusing
> > features if you can avoid it, and in this case, it sounds like you can.
> 
> Again, its configurable.  We wanted the experience to be as smooth as
> possible.  You brought up yourself that you didn't think the experience
> would be smooth for people without a launchpad account.  We wanted to give
> a large number of people the ability to see Ubuntu server (on ec2) in
> action.  That was the primary goal.  The changes to the default settings
> were done in the most secure way we could think of and still achieve that
> goal.

I agree pretty strongly with Eric here.  This just raises so many red
flags that don't need to be raised, and puts Canonical in a bad light
that will take a long time to undo.

> > > The primary reason for
> > > launching with a key was so we could debug if necessary, and explicitly so
> > > that if the user was locked out (ie, no access to their published
> > > launchpad keys), then we could ssh in, set a onetime password and show
> > > that to the user.
> >
> > I believe it's better to err on the side of security than convenience here.
> > This is how Amazon does it with EC2 in the larger scheme of things.  If you
> > lock yourself out, they cannot help you get access to your box no matter how
> > important it is to you (generally).  That's how important your security is to
> > them and I'd love to see Canonical continue this level of trust.
> 
> I would never suggest this for the base images.  Canonical will never
> insert back doors into Ubuntu EC2 images or *any* Ubuntu delivery.

How is this not a back door in an Ubuntu delivery?

If someone is locked out (and they're asking for support within this
55 minute window?), perhaps you could then explain this and either
help them get the key they need configured in launchpad, or offer to
launch a new one with a Canonical key so you could help.  The EC2 cost
is negligable for 55 minutes, I would think, under these
circumstances.

> I don't (yet) regret that decision, but I understand the concern.  Again,
> we're not using it at all, and its very easily disabled by the user.

> > Again, I realize that this is just a simple trial, but if simple things are
> > designed with security in mind from the beginning, then it will be easier to
> > carry through to when those projects and ideas are used in larger, more
> > important situations.
> >
> > > There is obviously trust in the launcher (Canonical) as they could have
> > > done any nefarious things they wanted to the image.
> >
> > Obviously.  And when I find that the launcher has put in place a clear back
> > door for convenience, it increases the doubt that they may at some point add
> > secret back doors for some other noble purpose.
> 
> A documented, easily discoverable "backdoor", and its only a trial
> instance.  I personally don't think its that big of a deal *in this
> scenario*.

If it helps a lot, perhaps, but I think its starting off on the wrong
foot.

Neal McBurnett                 http://neal.mcburnett.org/

> -- 
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam