non-disclosure of infrastructure problem a management issue?

Thomas Cameron thomas.cameron at camerontech.com
Sun Aug 24 17:46:59 UTC 2008 

Björn Persson wrote:
> max wrote:
>> You had no idea there was a security
>> issue? It was the first thing to cross my mind when I first saw the
>> announcement. What else could it have been? Why else the cryptic
>> message?
> 
> You're lucky to be that paranoid. Many people would call me paranoid if they 
> knew what kind of security measures I take with my home computers, but 
> apparently I'm not paranoid enough yet.
> 
> Can you answer the opposite question: Why the cryptic message? Can you think 
> of a rational reason to avoid the word "security"? Something more concrete 
> than just "legal issues"?

The whole point is that no one on this list except possibly Red Hat 
employees or Fedora board members can answer that.  These are not stupid 
people.  These are not dishonest people.  They're not devious folks. 
These are the same folks from whom you consume a distribution, people 
who devote their careers to making OSS, specifically Fedora, work as 
well as it does.  They do a really hard, mostly thankless job.

Recovery from a security is *very* hard work.  You need to determine the 
attack vector, the extent of the breach, remediate the breach, rebuild 
damaged servers, restore data and services, notify anyone whose 
information might have been compromised, forensically analyze the 
systems, etc., etc., etc.  All while trying to preserve any evidence 
which might be needed by any law enforcement agencies which have been 
involved.  Oh, and until the full extent of the breach is determined, it 
is foolish and irresponsible to announce anything about that breach. 
Had Paul said "Hey all, we've gotten hacked and we don't know how badly 
or how they got in or what the damage is" he'd have been eaten alive, 
and rightly so.  Instead he took a very reasonable approach, apparently 
disclosed as much as he could at the time, and warned folks as soon as 
he could to not trust updates.

But here you come from the outside and publicly call the head of the 
project a liar when you *clearly* do not have all the information.  What 
arrogance.  Congratulations, you've just landed at the top of the 
"Asshole of the Year" list.

Welcome to my killfile, Björn.

-- 
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080824/1f0e8dd7/attachment-0001.bin

More information about the users mailing list