Bad press again...

classic Classic list List threaded Threaded
97 messages Options
12345
Reply | Threaded
Open this post in threaded view
|

Bad press again...

Jan Luehr-10
Greetings,

today the German  publishing househeise reports disruptions in debian-security
http://www.heise.de/newsticker/meldung/63242

Rather free translation:
"Breakdown at debian security

Again the debian security infrastructure has proofed to be accident sensitive.
This night, power supply broke down, taking security.debian.org being
responsible for delivering updates offline. The power cut off happend in the
data center rack the server is stored in.
The machine is reachable again since late forenoon.

A couple of weeks ago, the shipping of security updates was interrupted due to
narrow personnel resources.For now, it doesn't seem, that the breakdown is  a
trigger to introduce a backup system for the update server as a central
element of the debian security infrastructure - as discussed earlier."

Sometimes it's just bothers me to read this news on heise.de first.
Nothing on deb-ann dev-ann or sec-ann.
What's wrong here?
And what about the mentioned backup system? Is there going to be one?

(Hope to) Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Alvin Oga


On Thu, 25 Aug 2005, Jan Luehr wrote:

> Again the debian security infrastructure has proofed to be accident sensitive.
> This night, power supply broke down,
> taking security.debian.org being
> responsible for delivering updates offline. The power cut off happend in the
> data center rack the server is stored in.

i don't know if it was a power supply or if it was the data center, but,

either case can be solved by:  security1.debian.org in LA
and security2.debian.org in NYC and security3.debian.org in berlin :-)

> Sometimes it's just bothers me to read this news on heise.de first.
> Nothing on deb-ann dev-ann or sec-ann.
> What's wrong here?

time and resources of "volunteers" ??  -- need "more of it"

> And what about the mentioned backup system? Is there going to be one?

backup is NOT the same as redundancy ...

redundancy allows the systems to keep working even if 1 or more servers
died ..

backup allows you to restore a dead/broken box with a new one with the
same contents .. in a few seconds or a few days .. depending on
the backup methodology

c ya
alvin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Peer Janssen

>On Thu, 25 Aug 2005, Jan Luehr wrote:
>
>>again the debian security infrastructure has proofed to be accident sensitive. [...]
>>
>>Sometimes it's just bothers me to read this news on heise.de first.
>>Nothing on deb-ann dev-ann or sec-ann.
>>What's wrong here?
>>    
>>
Maybe you can plug into the same sensors as heise.de.

Do they have some monitoring script? Or some monitoring people? (Might
be interesting to know who: [disgruntled users? the competition?])

It could be that calling/mailing[/visiting...] heise.de will yield the
necessary information, and you can learn more, quicker and directly,
about what you care to know.

Peer


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Stefan Fritsch
On Thursday 25 August 2005 23:33, Peer Janssen wrote:
> Do they have some monitoring script? Or some monitoring people?
> (Might be interesting to know who: [disgruntled users? the
> competition?])

cron-apt will send you a mail.

Aug 25 05:16:31 xxx cron-apt: Failed to fetch
http://security.debian.org/debian-security/dists/sarge/updates/main/binary-i386/Packages.gz 
Could not connect to security.debian.org:80 (194.109.137.218),
connection timed out

Cheers,
Stefan


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Re: Bad press again...

Ralph Katz
On 08/25/2005 06:10 PM, Stefan Fritsch wrote:

>
>>> Do they have some monitoring script? Or some monitoring people?
>>> (Might be interesting to know who: [disgruntled users? the
>>> competition?])
>
>
> cron-apt will send you a mail.
>
> Aug 25 05:16:31 xxx cron-apt: Failed to fetch
> http://security.debian.org/debian-security/dists/sarge/updates/main/binary-i386/Packages.gz 
> Could not connect to security.debian.org:80 (194.109.137.218),
> connection timed out
>
> Cheers,
> Stefan

Don't blame the press.

It's not a "bad press" problem.  Rather, as Alvin suggests, the problem
is closer to home.

(I discovered the problem when I couldn't connect for an aptitude update.)

Regards,
Ralph


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

tv (Bugzilla)-2
In reply to this post by Alvin Oga
Alvin Oga schrieb:
> either case can be solved by:  security1.debian.org in LA
> and security2.debian.org in NYC and security3.debian.org in berlin :-)

This is interessting but:

Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package states... Done
Err http://security3.debian.org sarge/updates/main Packages
   Could not resolve 'security3.debian.org'
Err http://security2.debian.org sarge/updates/main Packages
   Could not resolve 'security2.debian.org'
Err http://security1.debian.org sarge/updates/main Packages
   Could not resolve 'security1.debian.org'
Err http://security3.debian.org sarge/updates/main Release
   Could not resolve 'security3.debian.org'
Err http://security1.debian.org sarge/updates/main Release
   Could not resolve 'security1.debian.org'
Err http://security2.debian.org sarge/updates/main Release
   Could not resolve 'security2.debian.org'
...


Regards,
Timo


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Steven Brunasso
Yep, that is bad, even here from LA.

[steven@ns6 ~]$ dig  security1.debian.org @samosa.debian.org.

; <<>> DiG 9.2.5 <<>> security1.debian.org @samosa.debian.org.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14151
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;security1.debian.org.          IN      A

;; AUTHORITY SECTION:
debian.org.             3600    IN      SOA     samosa.debian.org. hostmaster.debian.org. 2005082501 10800 3600 604800 3600

;; Query time: 74 msec
;; SERVER: 192.25.206.57#53(192.25.206.57)
;; WHEN: Wed Aug 24 23:32:04 2005
;; MSG SIZE  rcvd: 92




On 8/26/05, Timo Veith <[hidden email]> wrote:
Alvin Oga schrieb:
> either case can be solved by:  security1.debian.org in LA
> and security2.debian.org in NYC and security3.debian.org in berlin :-)

This is interessting but:

Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package states... Done
Err http://security3.debian.org sarge/updates/main Packages
   Could not resolve 'security3.debian.org'
Err http://security2.debian.org sarge/updates/main Packages
   Could not resolve 'security2.debian.org'
Err http://security1.debian.org sarge/updates/main Packages
   Could not resolve 'security1.debian.org'
Err http://security3.debian.org sarge/updates/main Release
   Could not resolve 'security3.debian.org'
Err http://security1.debian.org sarge/updates/main Release
   Could not resolve ' security1.debian.org'
Err http://security2.debian.org sarge/updates/main Release
   Could not resolve 'security2.debian.org'
...


Regards,
Timo


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
In reply to this post by tv (Bugzilla)-2
also sprach Timo Veith <[hidden email]> [2005.08.26.1726 +0200]:
> >either case can be solved by:  security1.debian.org in LA
> >and security2.debian.org in NYC and security3.debian.org in berlin :-)
>
> Reading Package Lists... Done
> Building Dependency Tree
> Reading extended state information
> Initializing package states... Done
> Err http://security3.debian.org sarge/updates/main Packages
>   Could not resolve 'security3.debian.org'

I think Alvin was alluding to how it *should* be solved. As in: we
should have more than one security server, globally spaced.

Heck, we *should* have a responsive and communicative security team.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"the good thing about standards is
 that there are so many to choose from."
                                                -- andrew s. tanenbaum

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Luis Mondesi
perhaps instead of security2.d.o securyN.d.o it should be done like
the ftp aliases:

security.us.d.o (or better by location like: security.us.ny.d.o)
security.de.d.o, etc...

I guess once GPG signed packages (now in Sid) become a reality, these
things can be done more safely.

--
----)(-----
Luis M
System Administrator
Kiskeyix.org

"We think basically you watch television to turn your brain off, and
you work on your computer when you want to turn your brain on" --
Steve Jobs in an interview for MacWorld Magazine 2004-Feb

No .doc: http://www.fsf.org/philosophy/no-word-attachments.es.html

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Luis M <[hidden email]> [2005.08.26.1750 +0200]:
> perhaps instead of security2.d.o securyN.d.o it should be done like
> the ftp aliases:
>
> security.us.d.o (or better by location like: security.us.ny.d.o)
> security.de.d.o, etc...

No matter what they are called, it should be possible to switch the
security.d.o A record to another IP and have things work within
minutes. I continue to be in favour of having *only*
security.debian.org as the canonical security source. But add
fail-over redundance!

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise
 zur├╝ckziehen kann, wenn bedenken und sorgen allgemeiner art einen
 anfallen."
                                                 - friedrich nietzsche

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

tomasz abramowicz
In reply to this post by martin f krafft
martin f krafft wrote:

> also sprach Timo Veith <[hidden email]> [2005.08.26.1726 +0200]:
>
>>>either case can be solved by:  security1.debian.org in LA
>>>and security2.debian.org in NYC and security3.debian.org in berlin :-)
>>
>>Reading Package Lists... Done
>>Building Dependency Tree
>>Reading extended state information
>>Initializing package states... Done
>>Err http://security3.debian.org sarge/updates/main Packages
>>  Could not resolve 'security3.debian.org'
>
>
> I think Alvin was alluding to how it *should* be solved. As in: we
> should have more than one security server, globally spaced.
>
> Heck, we *should* have a responsive and communicative security team.
>

why arent all redundant security servers included in the sources.list,
or why doesnt it ask at install time to include all backup security servers?
as well as security.debian.org?

t.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Martin-35
In reply to this post by martin f krafft
On Fri, Aug 26, 2005 at 05:36:26PM +0200, martin f krafft wrote:
> Heck, we *should* have a responsive and communicative security team.

Do we have a security team for stable?  I know, that we have a
security team for testing consisting of nine DDs and ten
non-DDs, but it seems to me, that stable is handled by Joey
alone.  Has this changed since the havoc a few months ago?

Cheers, WB


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
In reply to this post by tomasz abramowicz
also sprach tomasz abramowicz <[hidden email]> [2005.08.26.1836 +0200]:
> why arent all redundant security servers included in the sources.list,
> or why doesnt it ask at install time to include all backup security servers?
> as well as security.debian.org?

security.debian.org is not a server, it's a DNS A record. It's
a whole lot easier to point that elsewhere in case of problems than
expecting users to make sense of the errors they get when some
servers can't be reached.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
women can keep a secret just as well as men,
but it takes more of them to do it.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach martin f krafft <[hidden email]> [2005.08.26.1907 +0200]:
> security.debian.org is not a server, it's a DNS A record. It's
> a whole lot easier to point that elsewhere in case of problems than
> expecting users to make sense of the errors they get when some
> servers can't be reached.

Ah, but this will of course fail for all those stuck on the network
of T-Online and similarly incompetent ISPs, who can't run proper DNS
resolver caches.

One way we could do this is by providing multiple A records for
s.d.o and hacking APT so that when it receives multiple A records
for a DNS name, it tries them in turn and only reports an error when
all of them failed.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
this message represents the official view of the voices in my head.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by martin f krafft
* martin f. krafft:

> I think Alvin was alluding to how it *should* be solved. As in: we
> should have more than one security server, globally spaced.

security.debian.org already is a Single Point of Ownership.  I don't
think we need multiple ones, so this is definitely a post-etch thing.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Martin-35
* W. Borgert:

> Do we have a security team for stable?  I know, that we have a
> security team for testing consisting of nine DDs and ten
> non-DDs, but it seems to me, that stable is handled by Joey
> alone.  Has this changed since the havoc a few months ago?

I don't think so.  Joey seems to be satisfied with this situation, and
apart from unanswered email messages to <[hidden email]>, there
are few complaints, AFAIK.  The email part is very unfortunate indeed,
but it probably doesn't warrant drastic measures.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Petter Reinholdtsen
[Florian Weimer]
> I don't think so.  Joey seems to be satisfied with this situation,
> and apart from unanswered email messages to <[hidden email]>,
> there are few complaints, AFAIK.

I'm not sure if the satisfaction of Martin Schulze is a good measuring
stick to judge the quality of the stable security work.

The count of open security issues in stable and oldstable is probably
a better measuring meter, and it does not look too good.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Henrique de Moraes Holschuh
In reply to this post by Florian Weimer
On Sat, 27 Aug 2005, Florian Weimer wrote:
> * martin f. krafft:
> > I think Alvin was alluding to how it *should* be solved. As in: we
> > should have more than one security server, globally spaced.
>
> security.debian.org already is a Single Point of Ownership.  I don't
> think we need multiple ones, so this is definitely a post-etch thing.

Irrelevant if secure apt is deployed correctly.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Henrique de Moraes Holschuh
In reply to this post by Florian Weimer
On Sat, 27 Aug 2005, Florian Weimer wrote:
> I don't think so.  Joey seems to be satisfied with this situation, and
> apart from unanswered email messages to <[hidden email]>, there
> are few complaints, AFAIK.  The email part is very unfortunate indeed,
> but it probably doesn't warrant drastic measures.

Since when increasing the stable security team (i.e. adding more people) is
a drastic measure?

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
In reply to this post by Henrique de Moraes Holschuh
also sprach Henrique de Moraes Holschuh <[hidden email]> [2005.08.27.1540 +0200]:
> > security.debian.org already is a Single Point of Ownership.  I don't
> > think we need multiple ones, so this is definitely a post-etch thing.
>
> Irrelevant if secure apt is deployed correctly.

No. Imagine exim gets a root exploit and I spoof the DNS to some
mirror of s.d.o. That mirror will be consistent wrt secure APT, but
it won't get updates, so admins who don't follow DSAs and run
apt-get upgrade consciously and carefully are going to be left in
the naive belief that they are safe because s.d.o doesn't have any
new stuff.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
perl -e 'print "The earth is a disk!\n" if ( "a" == "b" );'
                                                   (dedicated to nori)

signature.asc (196 bytes) Download Attachment
12345