non-disclosure of infrastructure problem a management issue?
Thomas Cameron
thomas.cameron at camerontech.com
Sun Aug 24 17:46:59 UTC 2008
Björn Persson wrote:
> max wrote:
>> You had no idea there was a security
>> issue? It was the first thing to cross my mind when I first saw the
>> announcement. What else could it have been? Why else the cryptic
>> message?
>
> You're lucky to be that paranoid. Many people would call me paranoid if they
> knew what kind of security measures I take with my home computers, but
> apparently I'm not paranoid enough yet.
>
> Can you answer the opposite question: Why the cryptic message? Can you think
> of a rational reason to avoid the word "security"? Something more concrete
> than just "legal issues"?
The whole point is that no one on this list except possibly Red Hat
employees or Fedora board members can answer that. These are not stupid
people. These are not dishonest people. They're not devious folks.
These are the same folks from whom you consume a distribution, people
who devote their careers to making OSS, specifically Fedora, work as
well as it does. They do a really hard, mostly thankless job.
Recovery from a security is *very* hard work. You need to determine the
attack vector, the extent of the breach, remediate the breach, rebuild
damaged servers, restore data and services, notify anyone whose
information might have been compromised, forensically analyze the
systems, etc., etc., etc. All while trying to preserve any evidence
which might be needed by any law enforcement agencies which have been
involved. Oh, and until the full extent of the breach is determined, it
is foolish and irresponsible to announce anything about that breach.
Had Paul said "Hey all, we've gotten hacked and we don't know how badly
or how they got in or what the damage is" he'd have been eaten alive,
and rightly so. Instead he took a very reasonable approach, apparently
disclosed as much as he could at the time, and warned folks as soon as
he could to not trust updates.
But here you come from the outside and publicly call the head of the
project a liar when you *clearly* do not have all the information. What
arrogance. Congratulations, you've just landed at the top of the
"Asshole of the Year" list.
Welcome to my killfile, Björn.
--
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080824/1f0e8dd7/attachment-0001.bin
More information about the users
mailing list