Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Operating Systems Cloud Ubuntu Linux

Taking a Stand Against Unofficial Ubuntu Images (ubuntu.com) 103

Canonical isn't pleased with cloud providers who are publishing broken, insecure images of Ubuntu despite being notified several times. In a blogpost, Mark Shuttleworth, the founder of Ubuntu, and the Executive Chairman and VP, Product Strategy at Canonical, made the situation public for all to see. An excerpt from the blog post: We are currently in dispute with a European cloud provider which has breached its contract and is publishing insecure, broken images of Ubuntu despite many months of coaxing to do it properly. The home-grown images on the cloud, VPS and bare metal services of this provider disable fundamental security mechanisms and modify the system in ways that are unsupportable. They are likely to behave unpredictably on update in weirdly creative and mysterious ways (the internet is full of fun examples). We hear about these issues all the time, because users assume there is a problem with Ubuntu on that cloud; users expect that 'all things that claim to be Ubuntu are genuine', and they have a right to expect that. We have spent many months of back and forth in which we unsuccessfully tried to establish the same operational framework on this cloud that already exists on tens of clouds around the world. We have on multiple occasions been promised it will be rectified to no avail. We are now ready to take legal steps to remove these images. We will seek to avoid affecting existing running users, but we must act to prevent future users from being misled. We do not make this move lightly, but have come to the view that the value of Ubuntu to its users rests on these commitments to security, quality and updates.
This discussion has been archived. No new comments can be posted.

Taking a Stand Against Unofficial Ubuntu Images

Comments Filter:
  • by Nutria ( 679911 ) on Friday December 02, 2016 @12:16PM (#53408933)

    That does us no good. Give us a name!!

    • That does us no good. Give us a name!!

      And potentially screw up a legal process?
      And if they lose open them up to an instant libel lawsuit?

      Take things one step at a time. If this initial scare tactic doesn't fix the problem you'll find out the name soon enough.

    • Exactly - why would anyone bother to mess with the image, if Canonical is doing the work for free.

      One can only assume they are breaking "Ubuntu" on purpose.

      Let people know who is being shady.
      • VPS providers usually have reasonable reasons to customize the distros they run somewhat to fit within the framework they're using to virtualize each server - which are vary rarely simple "VMWare on a Xeon" type environments due to cost/scalability issues.

        My guess is that certain providers are crappier than others.

    • Hmm, possibly the Mediterranean, though the English Channel and North Sea can also be sources of clouds in Europe.

  • The relevant portion (Score:3, Informative)

    by Anonymous Coward on Friday December 02, 2016 @12:18PM (#53408953)

    The article is a bit vague. I believe the relevant snippet comes from this part:

    To count some of the ways we have seen home-grown images create operational and security nightmares for users: clouds have baked private keys into their public images, so that any user could SSH into any machine; clouds have made changes that then blocked security updates for over a week; clouds have confused users with image- or kernel-soup, and users have been pushed into building their own images; VMs have had changes that resulted in very slow boot or poor performance; unstable kernels that disable features Ubuntu packages expect to be there; and many more. When things like this happen, users are left feeling let down. As the company behind Ubuntu, it falls to Canonical to take action.

    This better explains WHAT is happening as the original article seems to leave the reader guess WHO, which isn't the point to begin with.

    • by Anonymous Coward on Friday December 02, 2016 @12:42PM (#53409135)

      clouds have baked private keys into their public images, so that any user could SSH into any machine

      Holy shit.

      • by kriston ( 7886 )

        This is trivially simple to fix. Honestly, who doesn't check for unknown authorized user keys, and, for that matter, who doesn't also re-key their host keys?

        Oh, wait, GitHub Enterprise, that's who.

    • clouds have baked private keys into their public images, so that any user could SSH into any machine

      The first capture the flag hacking event hosted by my college's volunteer systems team (which supplemented the IT staff) had this problem. Every system had the same SSH keys, so it was easy to man-in-the-middle your opponents, gain their credentials, then log into their actual systems. One of the teams that discovered this (and won the contest) went on to host the next year's event. (This was not recent.)

  • by Anonymous Coward
    A website I reported here a few months ago (that didn't make the front page) that has now been taken down. The URL was www.uhuntu.com , yes that's an "h" instead of a "b" in ubuntu. The website looked almost exactly like ubuntu.com, and even mirrored some of the download links, although I didn't check all of them.
  • Said the packager of the most bug-ridden distro in open source history.
  • The Microsoft of the FOSS world.
    • How does this situation lead you to that conclusion?

      Are you saying Canonical should just allow Ubuntu's trademark to be used, even when it's clear the underlying VM image has been badly compromised by the cloud provider?

  • How broken they might be, but keep loyal to the spirit of open source. People have the right to use and modify your stuff. So let them do it and STFU.

    • Uhhh... I'm not entirely clear where your logic follows from.

      Canonical isn't saying "don't modify and use Ubuntu"... they're saying "don't break Ubuntu in stupid ways, but then still plaster the Ubuntu trademark all over your sales material". This seems like a perfectly reasonable request to me.

      Let's say you made a brand of beer, let's call it allo's ale, and you start giving this away to local pubs to serve to customers. Then, one local pub decides to mix your beer with their leftover coffee dregs (hipster

      • by allo ( 1728082 )

        The problem is, when you make a opensource distribution with a name, you should not use trademarks to prevent people from making derivatives. And a "ubuntu plus our installer" is still an ubuntu after installation. If the installer fails miserably ... people will know, that this did not happen when they installed ubuntu from the original cd.

        • They're not preventing people from making derivatives. They're preventing the derivatives from mentioning the Ubuntu system underpinning it, because Canonical believes (with a decent amount of proof) that this is tarnishing the Ubuntu brand name.

          Canonical is not the first, nor will they be the last, to do this. Mozilla, Debian, RedHat... all these major distros enforce the same rules.

          Again, the cloud providers *can* make their own versions/distros based on Ubuntu... they just can't advertise this fact unles

          • by allo ( 1728082 )

            Mozilla does the same and gets the same criticism. Debian doesn't prevent people from make "debian derivatives".

            • Mozilla does the same and gets the same criticism. Debian doesn't prevent people from make "debian derivatives".

              You keep repeating "prevent people from make [...] derivatives", but that is explicitly NOT what's going on here.

              You can make as many derivatives as you want... you just can't call them "Allo's Ubuntu", unless you pass Canonical's criteria for using the trademark.

              • by allo ( 1728082 )

                What is a modified Ubuntu (possibly broken), when it's no derivative (of the original ubuntu)?

                • Quoting define:google just for clarity:

                  derivative: something which is based on another source.

                  If it's a modified Ubuntu, it's a derivative. You can still make modified Ubuntu distributions. You just can't re-use the TRADEMARK when advertising your derivative. That is, you can use the source code exactly how you want. You cannot use the Ubuntu name to advertise your resulting distro, unless you meet minimum guidelines.

                  Also, Debian does have protection around the use of it's name in things: https://www.debian.org/tradema... [debian.org]

                  Specifically:

                  You cannot use Debian trademarks in any way that suggests an affiliation with or endorsement by the Debian project or community, if the same is not true.

                  To summarise: You can still

  • okay, so this is about trademarks. canonical's trademark is being brought into disrepute by the irresponsible action of some cloud providers: it's perfectly reasonable for them to sort this out. now, here's where i have an issue with canonical: why do they think it's okay to have *canonical* not brought into disrepute, when they are themselves acting in a criminal capacity, bringing the *linux* trademark into disrepute by illegally distributing linux kernel source code after they lost their right to do so

    • quit aping that nonsense, perfectly fine to distribute kernel modules with alternate license. no violation of gpl2 in that case.

I have a very small mind and must live with it. -- E. Dijkstra

Working...