FOXTROT/ALFA: Boeing in Teheran was Shot Down by Iran, Torvalds Doesn’t Want ZFS in the Kernel, DockerCon is Dead

Welcome to issue 60 of FOXTROT/ALFA for Friday, 10 January 2020 and with it the end of the first full week of the newsletter for this year. Here’s some tech reading to take into the weekend.

Google’s Project Zero is Changing its Vulnerability Disclosure Rules

Google’s bug hunters at Project Zero have caused plenty of drama with their “disclosure at all cost” policies in the past. It seems like they are looking to change this at least somewhat in 2020:

Google’s Project Zero cybersecurity team is trialling a new policy where it won’t make security vulnerabilities public early after a fix has been issued. “Full 90 days by default, regardless of when the bug is fixed,” is the team’s new policy, which it will trial for a year before deciding whether to adopt it permanently.

Under the old system, Project Zero’s researchers would give vendors 90 days to fix an issue before making the problem public. However, if a patch was issued within that 90 day window, it would disclose the vulnerability early. This can be a problem, because it means users have to rush to patch a vulnerability before hackers can exploit it. A vulnerability might be fixed by the company, but that doesn’t matter if the patch hasn’t been widely adopted.

So now, regardless of whether a patch is issued 20 days or 90 days after Project Zero makes a vendor aware of the problem, it will still wait 90 days to make the issue public. There are a couple of exceptions, though. One is when there’s “mutual agreement” between the two companies to disclose early, and Project Zero may also extend the deadline by 14 days if it’s taking longer for a vendor to put together a patch. The seven day deadline for vulnerabilities that are being exploited in the wild will remain unchanged.

UIA Boeing That Crashed in Teheran was Shot Down

Okay, it looks like the 737-NG that crashed in Teheran wasn’t Boeing’s fault – for once. It now looks very much like the plane was shot down, probably by a two-rocket volley from an Iranian 9K330 Tor SAM battery stationed at a garrison close to the airport. Most likely scenario is an accident, as the Iranian forces were probably still on edge from their counter-strike at US bases in Iraq a few hours earlier.

The fact that Iran seems reluctant to hand over the black boxes to Boeing makes this theory even more likely. This seems to be a very similar case to MH17, which was shot down by another type of Russian-built SAM battery over Ukraine in 2014.

Meltdown at Web Hoster Gandi

French web hoster Gandi wiped out the data of around 300 customers by accident.

The hoster had lost some customer data after a ZFS storage box in Luxembourg broke down and had to be replaced using a backup. Efforts to restore the data, however, failed, and there were no snapshots available to recover.

“The storage unit became unavailable, prompting an interruption in service for all PaaS and IaaS services using the disk associated with that unit,” the Gandi team said. “The data import on the emergency machine was not possible due to a corruption of the meta-data that we are not aware of the cause of.”

“We now have some hope that we may recover the data but as we can’t confirm it at the moment, customers who needed or need an immediate recovery should use their own backups, as was our initial recommendation.”

Posting GIFs in response didn’t go down well with customers either.

There Will Be No ZFS in Linux Kernel, Says Torvalds

Speaking of ZFS, accidents like this are probably why Linus Torvalds says “don’t use ZFS”. Well, actually, he said that because he doesn’t want to deal with its license.

If somebody adds a kernel module like ZFS, they are on their own. I can’t maintain it, and I can not be bound by other peoples kernel changes.

And honestly, there is no way I can merge any of the ZFS efforts until I get an official letter from Oracle that is signed by their main legal counsel or preferably by Larry Ellison himself that says that yes, it’s ok to do so and treat the end result as GPL’d.

Which isn’t going to happen. Ever.

Other people think it can be ok to merge ZFS code into the kernel and that the module interface makes it ok, and that’s their decision. But considering Oracle’s litigious nature, and the questions over licensing, there’s no way I can feel safe in ever doing so. And I’m not at all interested in some “ZFS shim layer” thing either that some people seem to think would isolate the two projects. That adds no value to our side, and given Oracle’s interface copyright suits (see Java), I don’t think it’s any real licensing win either.

Don’t use ZFS. It’s that simple. It was always more of a buzzword than anything else, I feel, and the licensing issues just make it a non-starter for me.

DockerCon is Dead

No more Docker conferences in San Francisco. Or in Austin.

DockerCon is going virtual in 2020! The June 15-18, 2020 event in Austin, TX will no longer take place & will be a virtual event instead. Thank you for being a part of the DockerCon community! See you at the virtual event

Looks to me like that company is toast.

Also Noteworthy

Additional stories I came across that you might find interesting:

Well, that’s it for me for this week. I’ll see you on Monday. Until then, remember your local Witcher and toss him a coin, will ya?

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.