Re: non-disclosure of infrastructure problem a management issue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Aug 24, 2008 at 9:20 AM, Bruno Wolff III <bruno@xxxxxxxx> wrote:
> The way the recent compromise was handled was not a good example of how a
> truly open project should have handled such an incident. It took a week
> before a statement was issued admitting a compromise. That should have
> been part of the very first announcement.


You want it handled better in the future?  Then write a draft process
that will withstand the scrutiny of legal on how to handle situations
such as this as transparently as possible.  Its easy to look back at
this specific incident and second guess how it was handled. But that's
not good enough to do that.. not even close.  We aren't going to build
a policy around the chatter over this one incident.  If you want to
see sensitive issues handled better in the future, than stand up a
strawman for a transparent process that can be generally applied to
sensitive issues. A transparent process that deals with legal issues
must balance caution with disclosure.  I believe that an incident
response process itself can be transparent, even if the full details
can not be publicly disclosed instantaneously due to legal constraint
And rest assured that whatever process that is will never satisfy all
disclosure demands. But if we as a community haven't put in the work
to build a process that guides the actions taken in a crisis situation
that meets legal constraints, then we as a community, have no right to
sit back and second guess the actions of any individuals who have to
stand in the middle of a crisis and make a judgement call.

You want things to be better? You want to have the right to hold up
the actions of our leadership to your opinions on how things should be
done? Then create the process document which is meant to guide their
actions before they have to step in and take action. If that process
document doesn't meet legal scrutiny... then you get to do it again
and again and again..until it does.  I don't expect the first such
draft to meet the necessary legal scrutiny. I expect that this will
take non-trivial effort and a few rounds of dialogue to get legal and
community on the same page as to what is achievable as a transparent
process that doesn't trip over a legal landmine.  And while I haven't
talked to Paul personally about this, I'm pretty sure that he is
between a rock and a hard place when it comes to satisfying both the
perceived needs of community and the strictures of legal constraints
in this matter. So are the other people who have been working on the
infrastructure to resolve the issue.  And we as a community are only
going to make it easier for Paul or other leadership if we find a way
to get a process document into the hands of Legal and start hammering
how to handle this sort of crap with more transparency moving forward.

To expect any individual to make a judgement call in the time of need
that attempt to infer the consensous opinion of the larger community
is ridiculous. Such consensus opinion must be formed and communicated
before the need for action occurs.   And if this community moves
forward and starts to put a process document together, then those of
you in the community who have had to deal with situations like this in
the past, need to be involved..to educated those other people in the
community who do not comprehend the nature of the legal constraints.
I'm going to strongly suggest that if the first draft of such a
transparent process document doesn't attempt to address the
community's perception of what the legal constraints are..but instead
reads as a bald demand for instant disclosure.  Then you haven't done
your jobs at creating an useful starting point for a dialogue on the
issue.. and you'll have squandered an opportunity to increase process
transparency.


-jef

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux