LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Full disclosure

Full disclosure

Posted Aug 17, 2008 7:48 UTC (Sun) by fatherted (subscriber, #33354)
In reply to: Full disclosure by dwheeler
Parent article: An update on Fedora's "issues" 

i think they CAN'T pretend there is no problem, given that everything they've got is/has been
down.

the problem is the secrecy.  that's really been the fedora way ever since the beginning -- a
small in-bunch, and then the rest of us unwashed masses.

its very hard to trust when secrecy is all that seems to happen with them.

if it weren't a security issue, it would have been easy to say something about the problem.
if it is, then all the unwashed masses need to know if we're affected or not.

seems to me that fedora has very much not earned much credibility.  and has mostly lost what
little it had because of the way this is being handled.

(Log in to post comments)

Full disclosure

Posted Aug 17, 2008 9:55 UTC (Sun) by tajyrink (subscriber, #2750) [Link] 

One cannot judge them before the details are known. Of course more knowledge would be nice,
but it may be the best way the situation could be handled is being done.

I think this is a bit same than around here (probably everywhere) when there is some tragic
accident, some people always shout that "people need to know!!" just because they are curious
and want to read everything terrible from tabloids, even though actually minimizing the
tragedy and trying to investigate could rather need secrecy.

If they do not know the exact problem, and have a reason to believe hostile people could
theoretically do something bad if they would let some non-full knowledge to the public,
secrecy is the only way to try to minimize risks.

If it turns out more information should have been let out earlier to minimize risks, then they
chose wrong. Let's see.

Full disclosure

Posted Aug 17, 2008 12:59 UTC (Sun) by salimma (subscriber, #34460) [Link] 

Your judgment seems rather harsh. Pre-existing anti-Red Hat bias? The Fedora project is
actually one of the more openly-run community Linux distributions -- apart from Debian, I'm
hard-pressed to name another project that is as open to community input (and in fact, it is
easier to become a Fedora contributor than to be a Debian developer).

As others have said, this is probably a Fedora-specific vulnerability. If it affects no other
service providers, and Fedora has warned its users not to use their services from the time
being, how is a full disclosure the more responsible thing to do? You'd be providing more
information about possible attack vectors, without any legitimate use.

Disclaimer: I am a Fedora contributor myself

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds