[sections of this email rearranged a bit by Neal] On Tue, Oct 12, 2010 at 02:17:57PM +0200, Michael Zoet wrote: > For me it is "a bit of overreacting" too. Canonical delivers a free > service about trying one hour free the latest Ubuntu Server Edition on > Amazons EC2 with a FAQ about everything related. If you have to think > about security you would set things up by yourself (on Amazons EC2 or > not)!
First of all, I hasten to agree that overall this is a wonderful offering - a great way to get people started with Ubuntu in one of the easiest possible ways. A marvelous and welcoming front door indeed! My hat is off to whoever suggested and implemented it! > >Neal McBurnett wrote: > >> How is this not a back door in an Ubuntu delivery? > Am Di, 12.10.2010, 12:34 schrieb Gustavo Niemeyer: > > > > This is an experiment we're attempting to allow people to play with a > > sandbox for less than an hour, with the backend being open sourced and > > available for anyone to read, and with a FAQ about the raised issue in > > place even before anyone brought it up. If anything, that's an > > obvious front door with a welcome sign. My point, however, was that the back door - the idea of embedding access for Canonical to the instance - is very dangerous - ESPECIALLY if the offer is a big success. We know that people often don't read FAQ's, so that is the wrong place to put security-critical information. If the Canonical ssh key must stay, at least the notice about the back door should appear prominently to the user during the setup phase. My guess is that Canonical wouldn't want to deter folks that way, but that would more effectively defuse potential accusations. > >> I agree pretty strongly with Eric here. This just raises so many red > >> flags that don't need to be raised, and puts Canonical in a bad light > >> that will take a long time to undo. > > I really do not see where this puts Canonical in a bad light. The thing which puts Canonical in a bad light is the back door, not the offering itself. And the more successful the offering, the more likely it is that someone will spout off very publicly about the back door, and undermine the essential Canonical and Ubuntu message of trust in our offerings. Also, having our open source code out there with a back door in it could lead to yet more problems down the road. Some less-than-clueful other project might pick it up, deploy it not noticing that, and be accused of the same thing, then point the finger back at us. > > Certainly agree regarding raising unnecessary red flags, but feels > > like there's a bit of overreaction here too. > > Even if I do not like the hype about cloud computing I thing this idea and > service to test the latest Ubuntu Server edition on Amazons EC2 is a good > and welcome move for a lot of people. Please keep up with such ideas! Even > if I never use it ;-). Yes - keep up the good ideas. Just don't shoot us in the foot at the same time. With the ssh/ssl weak key disaster in Debian/Ubuntu still pretty fresh, the last thing we want is folks talking about intentional back doors.... Thanks, Neal McBurnett http://neal.mcburnett.org/ > Kind regards, > > Michael > > > -- > ubuntu-server mailing list > [email protected] > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server > More info: https://wiki.ubuntu.com/ServerTeam -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
