Secrecy and user trust

[Bill Davidsen]

Bill Crawford wrote:
> On 02/09/2008, Les Mikesell <lesmikesell at gmail.com> wrote:
> 
>> When and how did the intrusion occur?  How was it initially detected?
> 
> *shrug*
> 
> I don't actually need to know, so I'm not making a fuss.
> 
> I suspect, as has been hinted at here multiple times, there may be
> legal reasons why they haven't provided you with some of the details
> you would like to see.

As noted, the detail I would have liked was to know if this was a 
failure of system security or a failure of misplaced trust. If there is 
a hole in their server system security it's likely to be in ours as well.

And if someone could say with certainty that packages downloaded before 
{date} were safe, it would be more reassuring than "there is little
risk to Fedora users who wish to install or upgrade signed Fedora
packages." If the start date of the problem is known, that would be 
really good information for people who keep a local repository and don't 
have to upgrade every new install totally over the network.
> 
> I'd suggest re-reading the announcement that Paul W. Frields sent out
> (url below) and then, should you really, really feel the need to know
> more, I'd suggest you contact whoever at the Fedora Project you pay
> for support, complaining about your SLA not being met ;o)
> 
> http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
> 
I felt the need to spend some of my three day holiday reinstalling 
servers with another distribution, when knowing the start date of the 
problem would have let me make an intelligent choice. Saying "was 
quickly discovered" doesn't tell me if it was minutes, hours, or months. 
What I was looking for was a "safe if loaded before" date.

So yes, I "really, really" felt the need to know more.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot