[ubuntu-server] Trying Ubuntu Server in Amazon EC2

Neal McBurnett neal at bcn.boulder.co.us
Tue Oct 12 15:31:44 UTC 2010


[sections of this email rearranged a bit by Neal]
On Tue, Oct 12, 2010 at 02:17:57PM +0200, Michael Zoet wrote:
> For me it is "a bit of overreacting" too. Canonical delivers a free
> service about trying one hour free the latest Ubuntu Server Edition on
> Amazons EC2 with a FAQ about everything related. If you have to think
> about security you would set things up by yourself (on Amazons EC2 or
> not)!

First of all, I hasten to agree that overall this is a wonderful
offering - a great way to get people started with Ubuntu in one of the
easiest possible ways.  A marvelous and welcoming front door indeed!
My hat is off to whoever suggested and implemented it!

> >Neal McBurnett wrote:
> >> How is this not a back door in an Ubuntu delivery?
> Am Di, 12.10.2010, 12:34 schrieb Gustavo Niemeyer:
> >
> > This is an experiment we're attempting to allow people to play with a
> > sandbox for less than an hour, with the backend being open sourced and
> > available for anyone to read, and with a FAQ about the raised issue in
> > place even before anyone brought it up.  If anything, that's an
> > obvious front door with a welcome sign.

My point, however, was that the back door - the idea of embedding
access for Canonical to the instance - is very dangerous - ESPECIALLY
if the offer is a big success.  We know that people often don't read
FAQ's, so that is the wrong place to put security-critical
information.  If the Canonical ssh key must stay, at least the notice
about the back door should appear prominently to the user during the
setup phase.  My guess is that Canonical wouldn't want to deter folks
that way, but that would more effectively defuse potential
accusations.

> >> I agree pretty strongly with Eric here.  This just raises so many red
> >> flags that don't need to be raised, and puts Canonical in a bad light
> >> that will take a long time to undo.
> 
> I really do not see where this puts Canonical in a bad light.

The thing which puts Canonical in a bad light is the back door, not
the offering itself.  And the more successful the offering, the more
likely it is that someone will spout off very publicly about the back
door, and undermine the essential Canonical and Ubuntu message of
trust in our offerings.

Also, having our open source code out there with a back door in it
could lead to yet more problems down the road.  Some less-than-clueful
other project might pick it up, deploy it not noticing that, and be
accused of the same thing, then point the finger back at us.

> > Certainly agree regarding raising unnecessary red flags, but feels
> > like there's a bit of overreaction here too.
> 
> Even if I do not like the hype about cloud computing I thing this idea and
> service to test the latest Ubuntu Server edition on Amazons EC2 is a good
> and welcome move for a lot of people. Please keep up with such ideas! Even
> if I never use it ;-).

Yes - keep up the good ideas.  Just don't shoot us in the foot at the
same time.  With the ssh/ssl weak key disaster in Debian/Ubuntu still
pretty fresh, the last thing we want is folks talking about
intentional back doors....

Thanks,

Neal McBurnett                 http://neal.mcburnett.org/

> Kind regards,
> 
> Michael
> 
> 
> -- 
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam




More information about the ubuntu-server mailing list