[Gruppo-web] [loco-council] Disappointed by Canonical SysAdmin Team behaviour

Josť Antonio Rey jose a ubuntu.com
Gio 30 Ott 2014 14:48:48 GMT


First of all, I would like to apologize for any inconveniences you may have
experienced because of this downtime.

The IS team is always working on improving security on the servers, but it
appears there was a misunderstanding.

I recognize that it would be a good idea to send out an announcement to the
contact for the webpage in the event there is a suspicion about a security
vulnerability. This would've make the process way easier, and I guess is
something that could be worked on.

Daniel, Michael, is there a way we could get a ticket filed on
rt.admin.canonical.com in order to give this a bit more of priority, or to
get a priority bump on rt.ubuntu.com? I believe that the most important
thing right not is getting them up and running as soon as possible.

Josť Antonio Rey
On Oct 30, 2014 9:33 AM, "Andrea Colangelo" <warp10 a debian.org> wrote:

> Dears all,
> we regret to write this email, but we can no longer tolerate problems
> like the ones we're describing below.
> Today, we noticed Italian Community web page [0] is not reachable, and a
> 403 Forbidden error is displayed instead. This was not triggered by any
> change made by our Website Team, so we investigated the problem with the
> Canoncal Sysadmins.
> Riccardo Padovani, the spokeperson of the Italian Website Team, reached
> the Canonical Sysadmins, here's an excerpt of the chat they had via IRC:
> <rpadovani> moon127, we have a forbidden advice on every page of
> http://www.ubuntu-it.org. No changes on our side in last hours, could
> you take a look please?
> <moon127> rpadovani, we detected an update from Drupal 7.31 to 7.32
> recently which did not seem to have been initiated by our guys and taken
> down as a precaution due to https://www.drupal.org/PSA-2014-003 - we
> have people investigating currently.
> <rpadovani> moon127, indeed, the update is not from your guys because
> drupal is managed by us on lp and then sync on server by cron
> <rpadovani> Here my commit for Drupal 7.32
> <rpadovani>
> https://bazaar.launchpad.net/~ubuntu-it-www/ubuntu-it-www/www-repo/revision/191
> The Drupal update was prepared by Riccardo a few hours after the Drupal
> Security Bulletin [1] was issued, so the website was no longer
> vulnerable due to the prompt reaction of Riccardo and the Italian
> Website Team.
> Nobody stepped in and warned us that the SysAdmin Team was going to turn
> off the website for "precaution purposes". Neither any members of the
> Website Team nor any members of the Italian LoCo Team got a notice.
> Also, nobody checked whether the site was actually affected by the
> vulnerability described in [1], it has been taken down without any
> check. Considering how many daily visits our website gets, this looks
> like an irresponsible course of action. We consider this approach not
> acceptable at all, especially for a service so important for our
> Community.
> This is just the latest issue we had while interacting with the
> Canonical SysAdmin Team (evidence of this can be found in the tickets we
> filed on [2]), and we are fed up of this. We are grateful of the help we
> get from Canonical in hosting our websites and many other services,
> nevertheless we feel the need of a better communication among us.
> Also, our website is still down as we are sending this email. We kindly
> ask you to provide us with your support to solve these problems as soon
> as possible.
> [0] http://www.ubuntu-it.org/
> [1] https://www.drupal.org/SA-CORE-2014-005
> [2] https://rt.ubuntu.com
> Thank you for your co-operation,
> Andrea Colangelo
> on the behalf of the Italian LoCo Team
> --
> Andrea Colangelo                      |   http://andreacolangelo.com
> Debian Developer <warp10 a debian.org>  |   Ubuntu Developer <
> warp10 a ubuntu.com>
> --
> Loco-council mailing list
> Loco-council a lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/loco-council
-------------- parte successiva --------------
Un allegato HTML Ť stato rimosso...
URL: <http://liste.ubuntu-it.org/pipermail/gruppo-web/attachments/20141030/22159366/attachment.htm>

Maggiori informazioni sulla lista Gruppo-web