[Gruppo-web] [loco-council] Disappointed by Canonical SysAdmin Team behaviour

cprofitt cprofitt a ubuntu.com
Gio 30 Ott 2014 19:35:17 GMT

Thanks for raising this issue.

I have never managed a Canonical supported website before so I would
like to ask for some background.

      * Is there an SLA that Canonical has made to community web pages
        they host?
      * Is there any agreement in regards to notification when problems
      * Was it documented that the IT team has control of the drupal
        environment via LP? If so how did the IS team miss that they had
        made that change?
      * How is the risk evaluated? Is there a guide that those affected
        can be made aware of to help them understand?
      * Is there any site or communication that lets team know when
        service will be restored?

I can see with this particular vulnerability why action was taken, but I
think it is reasonable that the IS team communicate with the people
listed as contacts on the affected sites. Good incident response /
security teams have a designated person (often non-technical) that is
responsible for communications during incidents; does Canonical IS have
such a person?


On Thu, 2014-10-30 at 09:48 -0500, Josť Antonio Rey wrote:
> Andrea,
> First of all, I would like to apologize for any inconveniences you may
> have experienced because of this downtime.
> The IS team is always working on improving security on the servers,
> but it appears there was a misunderstanding.
> I recognize that it would be a good idea to send out an announcement
> to the contact for the webpage in the event there is a suspicion about
> a security vulnerability. This would've make the process way easier,
> and I guess is something that could be worked on.
> Daniel, Michael, is there a way we could get a ticket filed on
> rt.admin.canonical.com in order to give this a bit more of priority,
> or to get a priority bump on rt.ubuntu.com? I believe that the most
> important thing right not is getting them up and running as soon as
> possible.
> --
> Josť Antonio Rey
> On Oct 30, 2014 9:33 AM, "Andrea Colangelo" <warp10 a debian.org> wrote:
>         Dears all,
>         we regret to write this email, but we can no longer tolerate
>         problems
>         like the ones we're describing below.
>         Today, we noticed Italian Community web page [0] is not
>         reachable, and a
>         403 Forbidden error is displayed instead. This was not
>         triggered by any
>         change made by our Website Team, so we investigated the
>         problem with the
>         Canoncal Sysadmins.
>         Riccardo Padovani, the spokeperson of the Italian Website
>         Team, reached
>         the Canonical Sysadmins, here's an excerpt of the chat they
>         had via IRC:
>         <rpadovani> moon127, we have a forbidden advice on every page
>         of
>         http://www.ubuntu-it.org. No changes on our side in last
>         hours, could
>         you take a look please?
>         <moon127> rpadovani, we detected an update from Drupal 7.31 to
>         7.32
>         recently which did not seem to have been initiated by our guys
>         and taken
>         down as a precaution due to
>         https://www.drupal.org/PSA-2014-003 - we
>         have people investigating currently.
>         <rpadovani> moon127, indeed, the update is not from your guys
>         because
>         drupal is managed by us on lp and then sync on server by cron
>         <rpadovani> Here my commit for Drupal 7.32
>         <rpadovani>
>         https://bazaar.launchpad.net/~ubuntu-it-www/ubuntu-it-www/www-repo/revision/191
>         The Drupal update was prepared by Riccardo a few hours after
>         the Drupal
>         Security Bulletin [1] was issued, so the website was no longer
>         vulnerable due to the prompt reaction of Riccardo and the
>         Italian
>         Website Team.
>         Nobody stepped in and warned us that the SysAdmin Team was
>         going to turn
>         off the website for "precaution purposes". Neither any members
>         of the
>         Website Team nor any members of the Italian LoCo Team got a
>         notice.
>         Also, nobody checked whether the site was actually affected by
>         the
>         vulnerability described in [1], it has been taken down without
>         any
>         check. Considering how many daily visits our website gets,
>         this looks
>         like an irresponsible course of action. We consider this
>         approach not
>         acceptable at all, especially for a service so important for
>         our
>         Community.
>         This is just the latest issue we had while interacting with
>         the
>         Canonical SysAdmin Team (evidence of this can be found in the
>         tickets we
>         filed on [2]), and we are fed up of this. We are grateful of
>         the help we
>         get from Canonical in hosting our websites and many other
>         services,
>         nevertheless we feel the need of a better communication among
>         us.
>         Also, our website is still down as we are sending this email.
>         We kindly
>         ask you to provide us with your support to solve these
>         problems as soon
>         as possible.
>         [0] http://www.ubuntu-it.org/
>         [1] https://www.drupal.org/SA-CORE-2014-005
>         [2] https://rt.ubuntu.com
>         Thank you for your co-operation,
>         Andrea Colangelo
>         on the behalf of the Italian LoCo Team
>         --
>         Andrea Colangelo                      |
>          http://andreacolangelo.com
>         Debian Developer <warp10 a debian.org>  |   Ubuntu Developer
>         <warp10 a ubuntu.com>
>         --
>         Loco-council mailing list
>         Loco-council a lists.ubuntu.com
>         Modify settings or unsubscribe at:
>         https://lists.ubuntu.com/mailman/listinfo/loco-council

Maggiori informazioni sulla lista Gruppo-web