I sincerely believe that Red Hat acted with due deligence and did the right thing to keep what they discovered confidential.
Suppose the method of breaking in is common to Debian, and any other linux distribution. Should explaining the breakin in public add comfort to end-users and clues to hackers? I would say yes to the latter situation.
A comparison was made that Debian released an announcement and fix within three days of determining / solving the problem. But that was a SSH problem, not a compromise of any of their packages that would end up around the world.
Thank you Red Hat for following the course of action you did.