Going medival on your ass

[robbat2]

Up until recently, I had thought most Gentoo users and developers to be adults, who made sensible choices in their actions (but not always their words). This may be generalized to acting professionally. I am saddened to report on the ongoing degradation of the community in this regard, and how infra will deal with their side of it.

I've been with the infrastructure team in general for a very long time, however, up until April 2007, I was only the CVS administrator, and had no roles nor access outside of that. Since then, I stepped in as an extra sysadmin, and I've ended up as one of the operational leads, which still means I do most of the work, I just get to make the choices about it too. While the 'old' infra were in some cases called tyrants, dictators, cabals, and other nasty things, we as the 'new infra' hoped to change this view.

We're charged with a lot for developers and users: procuring machines to run them on, maintaining them, developing new services, troubling some user and developer issues (eg: cvs/mirrors) and more.

For myself, in addition to the CVS/SVN/Git services that grew out of my CVS administration, I presently maintain LDAP, Lists and Bugzilla. I have also been the infra liaison to the releng team since 2007.0.

The various VCS and LDAP services are only of primary concern to developers, because extremely few users interact directly with them. However, Bugzilla and Lists are used by significantly more users than developers, and the interactions show.

All messages to mailing lists with 'unsubscribe' in the subject line get moderation and passed to me, and a great many of them are in the realm of blunt and abusive - usually on generic-sounding email accounts that have changed ownership to clueless people. There's also the fun of keeping the spam off (see my recent post to the mlmmj list, of which I should possibly blog about). That's the mundane side. There's also moderation of the actual moderated announcement lists, and tracing mis-delivered list bouncemail as it gets reported. Lastly, and perhaps most important to some, we are held accountable to userrel and devrel for enacting list bans.

Bugzilla gets less direct abuse, however when it happens, it's usually quite flagrant. jakub used to complain to me once or twice a month about users refusing to take no for an answer, and repeatedly filing duplicates, or deleting entire CC lists, or spamming a bug. Since his absence, I've caught less of these early on, simply because he basically read every bug that was filed, and I don't have the time for that (yes, I'd like him back, he did a good job). Bots that ignore robots.txt are a hassle, but are mostly manageable.

For developer issues, we haven't been offering executable homedirs for several years, since some former developers tried running BOINC, and various servers. It seems however that there has never been any codified warning, merely action on a case-by-case basis.

As of today, we're formalizing the handling of this. All infra-maintained machines either already, or will shortly have an AUP banner as follows:

 Any or all uses of this system and all files on this system may be
 intercepted, monitored, recorded, copied, audited, inspected, and
 disclosed to authorized site personnel, as well as authorized officials
 of federal law enforcement agencies, both domestic and foreign. By 
 using this system, the user consents to such interception, monitoring,
 recording, copying, auditing, inspection, and disclosure at the
 discretion of authorized site personnel. Use of this system constitutes
 consent to security monitoring and testing. All activity is logged with
 your host name and IP address. Unauthorized or improper use of this
 system may result in civil and criminal penalties. By continuing to use
 this system you indicate your awareness of and consent to these terms
 and conditions of use. -- Gentoo Linux Infrastructure Admins.

To make it more concise without the legalese: If you abuse a Gentoo infrastructure system, we have no compunctions about kicking your ass and handing you to the suitable authorities (userrel, devrel, $GOV_AUTHORITY).

What does this not mean? Aside from being proactive about patching security issues, we are not intended, nor do have no plans to target people that some of our group don't get along with - we're meant to be accountable and responsible to other authorities in Gentoo. We'll collect the evidence (logging) and execute you (retirement), but somebody else (devrel) gets to sentence you - the only exceptions to this are preemptive actions where we consider security to be at risk.

On the matter of logging, we aren't the Stasi either, we have far better things to do than babysit logs, and we've been logging a lot longer than I was ever even a Gentoo developer. Some former developers and infra folk automated the log analysis, so the only time we really need to look is when something has been brought to our direct attention and needs logs to back it up. The most common uses for the logs are finding abusive users and bots against rsync and bugzilla, plus doing audits after (in)security events.

Comments

[(Anonymous)]

I'm not gonna talk about the bad apples, you'll find 'em anywhere. It's just a matter of strict rules to prevent problems like these, and i feel that something like this is quite normal, logical, whatever you wanna call it. I'm surprised this wasn't there all this time. "Going medival on your ass", well, a title like "Finally creating an AUP" would be more fitting.

It's not only that, the whole problem Gentoo has with the community, seems to me a reaction cause a lack of rules or enforcement of the rules. If people know Gentoo doesn't allow bitching, whining, abusement or whatever, and thats written somewhere, it won't happen that much either and it's a lot easier to ban someone cause the person has broken an AUP.

That, and offcourse a statement of the current services of Gentoo, and the current activities and goals of Gentoo. People have no idea what the heck everyone is doing, where people are working at what or where to go, and start bitching all over the place.

Create an AUP for _every_ service, hire some more moderators for te mailinglists and forums etc, _review the current IRC ops_, then list the services to the developers and users, list the global goals, list the goals of people or small projects, insert a [We need help here, and there] somewhere, and see what happens.

[djcapelis.livejournal.com]

Yuck, I hope it never comes to that.

None of this stuff should ever be necessary. The fact that it is becoming necessary is all rather saddening.

Your solution is a reaction to a symptom of an underlying problem. I don't claim to have a good idea on addressing the underlying problem. But I know that's what's important to address here... and not reacting to various symptoms and creating a less and less conducive environment to get work done.

[(Anonymous)]

So, Gentoo has a neat infrastructure, and offcourse we believe in all the good of the people. They won't abuse it. Suddenly, someone uses it to "attack" a website, and.. damn, what do we do.. oh lets retire him, even though we're not sure he did it. Accusations cause we never had any decent control, and the accused was never protected by a policy. And so he leaves cause he didn't feel like participating in these loose knots tight together anymore.

You must admit we have to pull a line somewhere :)

[robbat2.livejournal.com]

Astinus submitted his own retirement right after the attack, and confessed to it. The Gentoo side of logs confirm that it was him anyway.

[djcapelis.livejournal.com]

Oh at this point it's rock and hard place. I have no disagreement about that.

But the underlying issue still is what needs the most solving.

[(Anonymous)]

Yeah.. true. Well, what would be good idea imho then is putting the problems on digital paper, state em on a Gentoo blog/site/whatever, documentation-like, with possible user input, and try to design solutions or things after that. As if it's a project to work on the issues. Gives people the feeling everyone can work on it and come with solutions.

[djcapelis.livejournal.com]

Sounds like something worth trying. Go for it?

[(Anonymous)]

If i knew enough about the problems, yeh :)