non-disclosure of infrastructure problem a management issue?

[Craig White]

On Mon, 2008-08-25 at 12:30 +0930, Tim wrote:
> On Sun, 2008-08-24 at 21:38 -0700, Craig White wrote:
> > there's a lot of things to deal with and informing clients -
> > especially when the full extent is unknown is not a terribly
> > attractive prospect and definitely lower on the priority scale
> > than auditing the problem and obviously fixing the problem.
> 
> I think most of us were more peeved about not getting a *clear* warning,
> promptly, and wanting to know whether it really was a safety issue (do
> not download) or just broken servers (downloads may fail).  The how and
> what actually happened could have come out later on.
> 
> If it turned out that *because* of a lack of good warning, when a good
> warning could have been given out, that boxes got compromised all over
> the planet, you'd find users really pissed off and leaving in droves,
> and Red Hat and Fedora with a shattered reputation.
----
I fully expect that the reason that they took the system off-line 10
days ago was a clear indication of their doubt of the sanctity of the
packages and they didn't put it back online until they felt that they
felt that they knew the extent of the compromise.

Let's be real here...there have been instances when viruses and other
compromised code has been distributed, even in shrink wrapped
proprietary software and we all have expectations of best efforts and if
someone feels that best efforts aren't being given, then they should
find another Linux distribution.

Craig