Security breaches bring out the proprietary attitude in all of us. When security is breached we instinctively hide the details, and build a metaphorical police line around it, telling onlookers to move along.
The security attitude runs counter to the open source attitude. Open source demands that bugs be seen and lessons shared. The security attitude fears this release of information because the evil doers might get it.
As project chair Paul Frields eventually explained to his list, someone got into servers where Fedora was housed and there was fear they may have gotten the passphrase securing the Fedora signing key.
Had this happened it could have been disastrous. Malware could have been added and servers updated with all security apparently in place.
But this did not happen, Frields wrote:
Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
Good news. No problem, no story. Move along.
Not exactly. As Frields later revealed on his personal blog, the Fedora team had to basically raze and rebuild the skeleton of their project over just a week, in conjunction with sponsor Red Hat's security team.
Things were quite fraught. It was a Fedora version of the Cuban missile crisis. It all worked out but it was a close run thing.
The clean-up has been extensive. As Byfield noted in his recent piece, as of September 8 security updates and bug fixes were still not going out as normal.
What got Byfield's undies in a twist was the Red Hat corporate attitude toward this, which was to say nothing meaningful. Was this the corporate mindset at work? Or was it the security mindset?
My conclusion is it was human instinct, but instinct can be fought and re-trained.
When the Debian project had a problem with OpenSSL back in May, there was no hair-pulling, just an open admission of what was wrong and what to do.
Was the Debian flaw as serious, as far-reaching as what happened with Fedora? Probably not. In retrospect, were users better served by Debian's openness or Red Hat's closed mouths? You be the judge.
There are indications that the Fedora board wants to adopt the Debian way, as seen in the minutes of their last board meeting.
But what about Red Hat? What about the security industry? More important, what about the vast mass of users?
For the last 7 years we've had secrecy and fear rule our security attitudes. Kill, torture, detain, and deny everything have been our watchwords. Are we safer?
A proprietary attitude toward security depends on I. An open source attitude depends on we.
I think it's clear which works best in practice. But my feelings may still be the minority view.