We don't know enough yet

My take is that RedHat and the Fedora project are run by competent folks. But no security system is 100% and they have been caught with their pants down. I'm willing to take them at their word that they really really don't think the attacker managed to get all the way to injecting trojaned packages into the errata stream of either Fedora or RHEL mostly because they were upfront about it being luck that saved them. If they see a threat to their userbase in this event it is a safe bet they will do whatever it takes to protect us.

They didn't really have a detailed game plan for such an event (a problem I'm sure they see in hindsight as clearly as anybody else) and are making this up as they go, except that as a corporation traded on a major exchange they have to run everything past the lawyers and that always slows things down.

So far they have mostly done the right things... again considering a large organization facing an unexpected crisis. Once they saw a problem they have been trying to fully understand it, contain and mitigate it and then work to improve their processes. Public disclosure isn't always the best bet until you have fully understood the problem and made sure that disclosure isn't likely to open up an even bigger can o' worms. Sometimes quietly working with the other vendors to bring out a fix before a public disclosure isn't fascist, it is being responsible. Eventually we will know all of the details, then we can talk about any up/downside for RedHat community relations, now it's just bloviating.