on Fri, Nov 21, 2003 at 11:50:40AM -0800, Brian Nelson ([EMAIL PROTECTED]) wrote: > Arnt Karlsen <[EMAIL PROTECTED]> writes: > > > On Fri, 21 Nov 2003 02:00:35 -0800, > > Brian Nelson <[EMAIL PROTECTED]> wrote in message > >> > There should be an official announcement one way or the other soon. > >> > >> Yes, within the next hour. > > > > ..www.debian.org and debian.org are both up, but still no statement at > > Fri Nov 21 14:27:28 CET 2003. > > I guess you don't subscribe to debian-announce?
I guess debian-announce took four days to deliver to me. What with 27k subscribers, I wasn't far up enough on the queue. I've seen mrtg graphs of deliveries and queues for d-u the past few days, and they're not pretty. There was some discussion of this already with Manoj and others on IRC. The upshot that a disaster plan, including communications needs and some general plan, capability, or requirement that critical announce lists be capable of being run on a jury-rigged basis if needed. My specific suggestion: reasonably current (say, within the past week) subscriber lists for d-a and d-s-a be maintained off the primary Debian mailservers, where critical people (listmaster, press, debian-leader) can, if needed, make a broadcast announcement of trouble. In a pinch this could be done through a handcrafted alias within an MTA, or a shell script. The main requirement would be that a box with a sufficiently high bandwidth connection to handle an outbound delivery be available. Also to be addressed: any special mitigation, cleanup, forensics, or analysis steps which should be made. I took the prophilactic precaution of running "apt-get clean" on all my systems once I heard of the compromise (unnecessary as it turns out), though others were asking what if any security precautions they should take. We did pretty well, considering murphy was down and with it all lists. Between IRC, Slashdot, and several other news and web sites, _I_ had a pretty good idea of what was going on (though I wasn't sure what if anything I should do). Others were markedly less informed. I helped get word out where I could. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? NPR: Radio for between the ears: http://www.npr.org/
pgp00000.pgp
Description: PGP signature
