Secrecy and user trust
Bill Davidsen
davidsen at tmr.com
Tue Sep 2 16:36:37 UTC 2008
Having been a participant or project leader for system programs, systems
and network administration, and security development and monitoring for
some decades, it seems to me that the Fedora project is lacking the most
important clue on handling a security issue, that of keeping the users
informed so they can make rational decisions.
If the infrastructure problem was caused by a disgruntled employee
rather than a gaping hole in the security of the distribution, that
should have been said, to reassure users that they don't have the same
hole. Yes, there may be code which snuck in after the compromise, we
understand that.
If there is a hole, users should know that, even if you don't have a
fix, to avoid the impression that the problems are being covered up.
If there is a known date before which packages can be trusted, that
should be said. Users who lag the cutting edge will be reassured. People
won't have to be checking security logs for a decade if the problem is
more recent. People on distributions older than FC8 which are not
maintained should be told if the problem goes back that far.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list