Red Hat fesses up to Fedora FOSS security fiasco

Davey Winder
Sunday, 24 August 2008 17:45

Business IT - Open Source

The Fedora-Announce-List posting by Red Hat's Fedora project leader Paul Frields admits that "some Fedora servers were illegally accessed" and even that the "intrusion into the servers was quickly discovered, and the servers were taken offline."

Yet it has taken more than a week to disclose this information.

"While there is no definitive evidence that the Fedora key has been compromised" the posting continues "because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys."

So, nothing serious then (not) yet still it has taken more than a week to disclose this information.

I think the icing on this particular cheesecake would have to come with "Our previous warnings against further package updates were based on an abundance of caution, out of respect for our users."

Sorry, but respect in the world FOSS hangs around one single word: open. Fedora has most certainly not been open in this case, at least not open enough, not quickly enough.

The promise to "continue to keep the Fedora community notified of any updates" is tempered by the concluding line of "Thank you again for your patience."

Is it really that far off the mark to suggest that one of the major benefits, from the security and bugs perspective, of open source is that problems are disclosed immediately and the community can therefore act quickly to correct them?

By not disclosing this information in a timely fashion, has Red Hat not done the whole FOSS movement a disservice?