Taking a Stand Against Unofficial Ubuntu Images (ubuntu.com) 103
Canonical isn't pleased with cloud providers who are publishing broken, insecure images of Ubuntu despite being notified several times. In a blogpost, Mark Shuttleworth, the founder of Ubuntu, and the Executive Chairman and VP, Product Strategy at Canonical, made the situation public for all to see. An excerpt from the blog post: We are currently in dispute with a European cloud provider which has breached its contract and is publishing insecure, broken images of Ubuntu despite many months of coaxing to do it properly. The home-grown images on the cloud, VPS and bare metal services of this provider disable fundamental security mechanisms and modify the system in ways that are unsupportable. They are likely to behave unpredictably on update in weirdly creative and mysterious ways (the internet is full of fun examples). We hear about these issues all the time, because users assume there is a problem with Ubuntu on that cloud; users expect that 'all things that claim to be Ubuntu are genuine', and they have a right to expect that. We have spent many months of back and forth in which we unsuccessfully tried to establish the same operational framework on this cloud that already exists on tens of clouds around the world. We have on multiple occasions been promised it will be rectified to no avail. We are now ready to take legal steps to remove these images. We will seek to avoid affecting existing running users, but we must act to prevent future users from being misled. We do not make this move lightly, but have come to the view that the value of Ubuntu to its users rests on these commitments to security, quality and updates.
Re:It's OVH (Score:4, Insightful)
Not just OVH, any second rate hosting company does it. DreamHost does as well, 1and1. They're a pain in the neck to work with because any update breaks everything and you're stuck with old versions of Apache, nginx and PHP because of it. Sure it helps them because they can deduplicate the shit out of the memory and storage but it's broken.
If you're paying less than $20/mo for a VPS, you're shafted.
Re: (Score:2)
I have a VPS that costs me $12/month. It's a full KVM VPS. No hosting mods whatsoever. I control the kernel and all the packages on it.
Re:It's OVH (Score:4, Informative)
How many other people are on those servers. I've tried plenty of instances but once you start using your actually assigned quota's (1 CPU and 512MB RAM) you will notice an intense slowdown. Or you're sitting on a server with some other people that are heavy users, same problem.
I've tried a bunch of them, for home/dev use, perhaps, but for real work, not suitable. And whenever you ask how many other customers they have, they either don't tell or it's astronomically high.
DigitalOcean: doesn't tell anything about their infrastructure and if you use too much resources they cut you off with a "TOS violation". From what I can measure, I estimate 50-100 hosts per 'real' server but don't use more than 20% of your CPU for a period of time because you'll be out.
DreamHost: the oversell must be close to 200 hosts per server. Continuously 100-200ms ping rates, their 'shared MySQL' would take 500ms to even complete a simple query. The host got cut off several times per month for various technical reasons.
1and1: Another over-seller, absolutely awful support, after a while they just tried to up-sell me packages that would have no impact on the performance - I'm not running out of storage dimwits.
Re: (Score:2)
I would not expect a lot of real CPU for $12/month. It works for me (small mail/web server, VPN endpoint, etc.).
If I were relying on a machine for work, it would probably be better to pay for a dedicated machine, or to install my own hardware in a datacenter.
The problems I have seen have been the time when they started shutting down the infrastructure and one class of VMs. I only found out because I noted that the RDNS wasn't working. They claimed that they had sent me an email telling me that I needed to m
Re: (Score:2)
Re: (Score:2)
It's not just VPSs. A project I cofounded used a dedicated server running Debian from dreamhost (chosen because it was cheap and came with unlimited bandwidth). In setting the server up we removed apache and installed nginx.
Doing so broke the boot process!
IIRC Dreamhost support managed to find a way to manually boot the box but couldn't help with actually fixing it and then we found a way to hack up their scripts so it would boot by itself again.
Re: It's OVH (Score:2)
Re: (Score:2)
I'm paying less than $20 per quarter (actual rate is €15.12 IIRC) for Gentoo running on Xen. emerge -auND --with-bdeps=y --backtrack=100 @world works the same on it as it does on my desktop at home.
Re: (Score:2)
Not just OVH, any second rate hosting company does it. DreamHost does as well, 1and1. They're a pain in the neck to work with because any update breaks everything and you're stuck with old versions of Apache, nginx and PHP because of it. Sure it helps them because they can deduplicate the shit out of the memory and storage but it's broken.
If you're paying less than $20/mo for a VPS, you're shafted.
For that price range, you can just get a small AWS server and not have these problems (especially if you can pay for 3 years up front).
Re: (Score:2)
My $5/mo VPS gives me FreeBSD and a plethora of other options.
Re: (Score:2)
All right, I'll bite. Where can I get FreeBSD for $5/mo? I used to use BSDVM, but they went under. The others I found were pretty much all grossly overpriced or unacceptably broken in some way.
Re: (Score:3)
https://www.digitalocean.com/p... [digitalocean.com]
Re: (Score:2)
Re: (Score:2)
Oof, be prepared to not like the slow storage. It may be SSD, but it benchmarks marginally better than magnetic.
Maybe they should buy some 10g switches and set up a Fibre Channel fabric. Their competitors at $5/month have 10-20x faster storage speed.
Digital Ocean @ $5/mos (Score:2)
Re: (Score:2)
Run away from DreamHost. They're cheap but you get what you pay for, though 1and1 is now price competitive with far higher performance from my benchmarks.
But DreamHost is actually shutting down and scrapping their East-1 cloud environment in January. Data will be lost permanently in less than a month. But that's okay because they told us months ago and are giving away the service for no charge before it gets torn down. But is it?
Okay, so move to next-gen East-2 with their "SSD" storage, but then find ou
Re: (Score:2)
Re: It's OVH (Score:1)
Re:What contract? (Score:5, Insightful)
Most likely it's more an issue of using the name Ubuntu.
Re:What contract? (Score:5, Insightful)
Such is the life of those that mix companies and open source.
No, not really. Microsoft open sourced many of their components in the .Net framework, but if I take an old version, apply 1000+ custom patches that break everything, and then try to call it "Microsoft .Net", they would be pissed - and they'd have every right to be. They may give away the code, but that does not mean they're giving away their reputation, and if this company doesn't bother to even attempt to address complaints, then they need to find a new name for it. I personally think companies are draconian over the abstractedness of copyright and imagined profit losses, but even I think Canonical has a legitimate case here.
Re: (Score:2)
If you've heavily modified it, replaced key functional systems with custom-made versions, and looking to sell it in quantities? You bet your ass you should, otherwise Ford will string you up to dry for trademark infringement, and be right to do so.
Re: (Score:2)
Re: (Score:2)
No, you'd be wrong about that. State vehicle registration law does not override federal trademark law. As soon as you are damaging the value of their mark, you're history.
Not exactly. Factual use of a trademark by a third party is not infringement. As long as what you are selling is an actual Ford product, you are free to call it a Ford without Ford's permission, and they cannot stop you. If your company customizes or modifies a product and resells it, you can call it what it is by using the original manufacturer's name and product name. You cannot imply that you are that original company though. See, for example, Lingenfelter's marketing of Chevrolet-compatible parts and cu
Re: (Score:2)
You're the one who's wrong.
If you modify a <MAKE> vehicle, even extensively, you absolutely can sell it as a modified <MAKE> because that's what it is.
I an buy a McDonald's Big Mac, take a shit in it, and sell it as a McDonald's Bic Mac, with Shit. At worst I'd need to declare that I'm not McDonald's and McDonald's owns "McDonald's" (even though they stole it from some dude) and "Big Mac".
Re: (Score:3)
If a customer had a problem with a Ford that turned out to be a modified Ford and the modifications were the problem (or even if they weren't) then Ford would likely take action. They rightly don't want their valuable brand name tarnished by someone's modifications.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I've got a 20 year old Ford car, should I rename it?
Not necessary, because it's the same physical car.
Redistributing OS images is more like manufacturing new cars. You can't build replicas of your car and offer them for sale as genuine"Fords".
Re: (Score:2)
Re: (Score:2)
It's the name that's the problem, not that they're distributing source code.
Re: (Score:2)
It is the name.
Coca Cola would not like me to add drain opener to their product, call it "Coke" and distribute it.
Re: (Score:2)
Re: (Score:2)
*Any* use of the name is likely to be a trademark infringement. That's why projects like CentOS, that repackage Red Hat, have their work cut out for them. To be fully in compliance, you have to remove *every* reference to the original name, *every* proprietary icon, etc.
Re: (Score:2)
What if they removed all of the Ubuntu names on the exterior, the webpage, the file name, etc? Ubuntu still has their name all over the interior, no?
Re: (Score:1)
The name and logo of the distro aren't GPL. Anyone is free to create their own Ubuntu derivative, but they can't call it Ubuntu without approval.
Re: (Score:2, Insightful)
And there it is. I came here to see some idiot claiming the GPL has anything to do with this.
Despite its ability to be abused, this is a textbook case of Trademark law being used correctly. Someone is misrepresenting a product that is not Ubuntu as Ubuntu and selling it. The entity that trades under the "mark" Ubuntu can force them to stop, thus protecting the consumer from fraud.
Re:What contract? (Score:5, Insightful)
It's not a copyright issue, it's a trademark issue. You're not allowed to break Ubuntu and still call it Ubuntu.
See also the Debian/Mozilla trademark silliness. [wikipedia.org]
Re: (Score:2)
Uh, no, as a virtual machine reseller they are selling a broken copy of Ubuntu as a service. Canonical is within their rights to ask them to stop using their software's name (say, to OVH Linux) if they aren't going to fix the issue.
For a car analogy: If an independent Ford dealership started filling up their cars' gas tanks with sugar you better believe Ford will come in and put a stop to that real fast.
Re: (Score:2)
They can modify it all they want but it is no longer Ubuntu. It has a different kernel, different drivers, and handles virtualisation very differently.
If a user had scripts running on Ubuntu and then migrated over to the new service provider, those scripts would likely stop working. These companies are using the Ubuntu name because the experience will be similar, however, there will be confusion where the user expects the experience to be identical.
Better would be to call it "Based on Ubuntu" or "Ubuntu-esq
Brands and trademarks are *not* silly. (Score:2)
Branding is not silly. [slashdot.org] In fact, it is essential to getting a good product of the ground and into widespread use. Those neat Mozilla / Firefox Videoads are at least as important to Firefox acceptance as the newest Adblocker Plugin are. If they need to protect their brand and Debian sees no way of integrating a product called "Firefox" because the FF branding/trademark conflict with Debians rules, then they will have to ditch the brand, even though the product is the same. You could argue that Debian is being
Re: (Score:2)
Shuttleworth and Ubuntu have acutally been quite generous. They should start sueing the companies in question and make some noise about why exactly they are doing it.
Indeed, particularly considering that trademarks can be lost if not defended.
Re: (Score:2)
Canonical may be willing to enter an agreement to allow use of the Ubuntu trademark, but only under certain conditions. After all, my modifications may reflect poorly on their valuable name.
"a European cloud provider" (Score:5, Insightful)
That does us no good. Give us a name!!
Re: (Score:3)
That does us no good. Give us a name!!
And potentially screw up a legal process?
And if they lose open them up to an instant libel lawsuit?
Take things one step at a time. If this initial scare tactic doesn't fix the problem you'll find out the name soon enough.
Re: (Score:2)
One can only assume they are breaking "Ubuntu" on purpose.
Let people know who is being shady.
Re: (Score:2)
Re: (Score:3)
The relevant portion (Score:3, Informative)
The article is a bit vague. I believe the relevant snippet comes from this part:
This better explains WHAT is happening as the original article seems to leave the reader guess WHO, which isn't the point to begin with.
Re:The relevant portion (Score:5, Insightful)
clouds have baked private keys into their public images, so that any user could SSH into any machine
Holy shit.
Re: (Score:2)
This is trivially simple to fix. Honestly, who doesn't check for unknown authorized user keys, and, for that matter, who doesn't also re-key their host keys?
Oh, wait, GitHub Enterprise, that's who.
Yuuup (Score:2)
The first capture the flag hacking event hosted by my college's volunteer systems team (which supplemented the IT staff) had this problem. Every system had the same SSH keys, so it was easy to man-in-the-middle your opponents, gain their credentials, then log into their actual systems. One of the teams that discovered this (and won the contest) went on to host the next year's event. (This was not recent.)
I think this was about... (Score:1)
Re: (Score:1)
Commitment to security, quality, and updates?? (Score:1)
Take a stand against Ubuntu. Period. (Score:1, Insightful)
Re: (Score:1)
How does this situation lead you to that conclusion?
Are you saying Canonical should just allow Ubuntu's trademark to be used, even when it's clear the underlying VM image has been badly compromised by the cloud provider?
Fuck Canonical (Score:2)
How broken they might be, but keep loyal to the spirit of open source. People have the right to use and modify your stuff. So let them do it and STFU.
Re: (Score:1)
Uhhh... I'm not entirely clear where your logic follows from.
Canonical isn't saying "don't modify and use Ubuntu"... they're saying "don't break Ubuntu in stupid ways, but then still plaster the Ubuntu trademark all over your sales material". This seems like a perfectly reasonable request to me.
Let's say you made a brand of beer, let's call it allo's ale, and you start giving this away to local pubs to serve to customers. Then, one local pub decides to mix your beer with their leftover coffee dregs (hipster
Re: (Score:2)
The problem is, when you make a opensource distribution with a name, you should not use trademarks to prevent people from making derivatives. And a "ubuntu plus our installer" is still an ubuntu after installation. If the installer fails miserably ... people will know, that this did not happen when they installed ubuntu from the original cd.
Re: (Score:1)
They're not preventing people from making derivatives. They're preventing the derivatives from mentioning the Ubuntu system underpinning it, because Canonical believes (with a decent amount of proof) that this is tarnishing the Ubuntu brand name.
Canonical is not the first, nor will they be the last, to do this. Mozilla, Debian, RedHat... all these major distros enforce the same rules.
Again, the cloud providers *can* make their own versions/distros based on Ubuntu... they just can't advertise this fact unles
Re: (Score:2)
Mozilla does the same and gets the same criticism. Debian doesn't prevent people from make "debian derivatives".
Re: (Score:1)
Mozilla does the same and gets the same criticism. Debian doesn't prevent people from make "debian derivatives".
You keep repeating "prevent people from make [...] derivatives", but that is explicitly NOT what's going on here.
You can make as many derivatives as you want... you just can't call them "Allo's Ubuntu", unless you pass Canonical's criteria for using the trademark.
Re: (Score:2)
What is a modified Ubuntu (possibly broken), when it's no derivative (of the original ubuntu)?
Re: (Score:1)
Quoting define:google just for clarity:
derivative: something which is based on another source.
If it's a modified Ubuntu, it's a derivative. You can still make modified Ubuntu distributions. You just can't re-use the TRADEMARK when advertising your derivative. That is, you can use the source code exactly how you want. You cannot use the Ubuntu name to advertise your resulting distro, unless you meet minimum guidelines.
Also, Debian does have protection around the use of it's name in things: https://www.debian.org/tradema... [debian.org]
Specifically:
You cannot use Debian trademarks in any way that suggests an affiliation with or endorsement by the Debian project or community, if the same is not true.
To summarise: You can still
Re: (Score:2)
The spirit of opensource (not the trademark laws) says, you're allowed to do so. If you do too much nonsense, i may post on my homepage, that your project isn't mine. If you just add a few (broken) scripts, i will try to work with you to fix them first. Because i am happy, when you add scripts, i did not need but which are useful for people using my product.
And i guess there is no intend to break it, its just inability to make good installer images. See hanlon's law.
Trademarks (Score:2)
okay, so this is about trademarks. canonical's trademark is being brought into disrepute by the irresponsible action of some cloud providers: it's perfectly reasonable for them to sort this out. now, here's where i have an issue with canonical: why do they think it's okay to have *canonical* not brought into disrepute, when they are themselves acting in a criminal capacity, bringing the *linux* trademark into disrepute by illegally distributing linux kernel source code after they lost their right to do so
Re: (Score:2)
quit aping that nonsense, perfectly fine to distribute kernel modules with alternate license. no violation of gpl2 in that case.