[Gruppo-web] [loco-council] Disappointed by Canonical SysAdmin Team behaviour
cprofitt
cprofitt a ubuntu.com
Gio 30 Ott 2014 19:35:17 GMT
Thanks for raising this issue.
I have never managed a Canonical supported website before so I would
like to ask for some background.
* Is there an SLA that Canonical has made to community web pages
they host?
* Is there any agreement in regards to notification when problems
arise?
* Was it documented that the IT team has control of the drupal
environment via LP? If so how did the IS team miss that they had
made that change?
* How is the risk evaluated? Is there a guide that those affected
can be made aware of to help them understand?
* Is there any site or communication that lets team know when
service will be restored?
I can see with this particular vulnerability why action was taken, but I
think it is reasonable that the IS team communicate with the people
listed as contacts on the affected sites. Good incident response /
security teams have a designated person (often non-technical) that is
responsible for communications during incidents; does Canonical IS have
such a person?
Charles
On Thu, 2014-10-30 at 09:48 -0500, José Antonio Rey wrote:
> Andrea,
>
> First of all, I would like to apologize for any inconveniences you may
> have experienced because of this downtime.
>
> The IS team is always working on improving security on the servers,
> but it appears there was a misunderstanding.
>
> I recognize that it would be a good idea to send out an announcement
> to the contact for the webpage in the event there is a suspicion about
> a security vulnerability. This would've make the process way easier,
> and I guess is something that could be worked on.
>
> Daniel, Michael, is there a way we could get a ticket filed on
> rt.admin.canonical.com in order to give this a bit more of priority,
> or to get a priority bump on rt.ubuntu.com? I believe that the most
> important thing right not is getting them up and running as soon as
> possible.
>
> --
> José Antonio Rey
>
> On Oct 30, 2014 9:33 AM, "Andrea Colangelo" <warp10 a debian.org> wrote:
> Dears all,
>
> we regret to write this email, but we can no longer tolerate
> problems
> like the ones we're describing below.
>
> Today, we noticed Italian Community web page [0] is not
> reachable, and a
> 403 Forbidden error is displayed instead. This was not
> triggered by any
> change made by our Website Team, so we investigated the
> problem with the
> Canoncal Sysadmins.
>
> Riccardo Padovani, the spokeperson of the Italian Website
> Team, reached
> the Canonical Sysadmins, here's an excerpt of the chat they
> had via IRC:
>
> <rpadovani> moon127, we have a forbidden advice on every page
> of
> http://www.ubuntu-it.org. No changes on our side in last
> hours, could
> you take a look please?
> <moon127> rpadovani, we detected an update from Drupal 7.31 to
> 7.32
> recently which did not seem to have been initiated by our guys
> and taken
> down as a precaution due to
> https://www.drupal.org/PSA-2014-003 - we
> have people investigating currently.
> <rpadovani> moon127, indeed, the update is not from your guys
> because
> drupal is managed by us on lp and then sync on server by cron
> <rpadovani> Here my commit for Drupal 7.32
> <rpadovani>
> https://bazaar.launchpad.net/~ubuntu-it-www/ubuntu-it-www/www-repo/revision/191
>
> The Drupal update was prepared by Riccardo a few hours after
> the Drupal
> Security Bulletin [1] was issued, so the website was no longer
> vulnerable due to the prompt reaction of Riccardo and the
> Italian
> Website Team.
>
> Nobody stepped in and warned us that the SysAdmin Team was
> going to turn
> off the website for "precaution purposes". Neither any members
> of the
> Website Team nor any members of the Italian LoCo Team got a
> notice.
> Also, nobody checked whether the site was actually affected by
> the
> vulnerability described in [1], it has been taken down without
> any
> check. Considering how many daily visits our website gets,
> this looks
> like an irresponsible course of action. We consider this
> approach not
> acceptable at all, especially for a service so important for
> our
> Community.
>
> This is just the latest issue we had while interacting with
> the
> Canonical SysAdmin Team (evidence of this can be found in the
> tickets we
> filed on [2]), and we are fed up of this. We are grateful of
> the help we
> get from Canonical in hosting our websites and many other
> services,
> nevertheless we feel the need of a better communication among
> us.
>
> Also, our website is still down as we are sending this email.
> We kindly
> ask you to provide us with your support to solve these
> problems as soon
> as possible.
>
> [0] http://www.ubuntu-it.org/
> [1] https://www.drupal.org/SA-CORE-2014-005
> [2] https://rt.ubuntu.com
>
> Thank you for your co-operation,
>
> Andrea Colangelo
> on the behalf of the Italian LoCo Team
>
>
> --
> Andrea Colangelo |
> http://andreacolangelo.com
> Debian Developer <warp10 a debian.org> | Ubuntu Developer
> <warp10 a ubuntu.com>
>
> --
> Loco-council mailing list
> Loco-council a lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/loco-council
>
Maggiori informazioni sulla lista
Gruppo-web