Debian took an undue amount of criticism for the flaw -- not least because Debian has always claimed to be one of the more secure distributions. But, in fact, its response was not only in the forthright tradition of FOSS, but also in accord with best security practices, which reject the idea of security through obscurity -- the idea that keeping a problem secret is the best way to ensure that it won't be exploited.
By contrast, the Fedora-Red Hat announcements not only concealed information, but gave users no way to investigate their own system for problems, nor any means of protection beyond the negative one of not installing or updating. Faced with a security problem, Red Hat reacted far less like Debian and much more like Microsoft, which is notorious for denying security problems until a patch is ready. No doubt it tried to protect its corporate interests, but it did next to nothing for users. When trouble came, FOSS interests and standards were apparently jettisoned in favor of immediate business concerns.
The damage to Fedora's credibility is potentially immense. In a matter of days, Red Hat has quashed Fedora's claim to independence. It has also threatened the credibility of the Red Hat employees who manage Fedora -- people whose devotion to FOSS has always been clear in their actions and dedication. Frields especially is hard hit, having apparently signed his name to announcements written in a style so different from his normal one that he was likely just signing statements written by Red Hat executives and lawyers.
Nor am I alone in this perception. The Fedora Board itself seems perfectly aware of its embarrassing position, if the minutes of its last meeting are any indication. As might be expected, much of the meeting was devoted to "discussion about the incident handling," and the summary expresses concerns that officially neither Red Hat nor Fedora admitted.
"Could other groups have been brought into knowledge of the incident earlier?" the minutes ask. "Could the Fedora Board have been notified or kept in the loop better?" The summary goes on to note that events were "complicated by co-announcement made by Red Hat," and notes an "ongoing tension between Fedora being able to act independently and Red Hat being liable for Fedora's actions." The summary also says that the board doesn't "want to get into a situation where every Fedora decision or announcement has to be vetted through Red Hat executive levels" before discussing possible plans to avoid similar situations in the future.
What is interesting about this summary is that it seems to confirm the worst possible misgivings. Not only was Fedora not allowed to act independently in the crisis, but even its board was apparently not adequately informed. Having witnessed the dedication and energy of a few members of the board, as well as several Red Hat employees who work full-time on Fedora, I can only sympathize with them as they learn to live with the fact that, at the first crisis, their idealism was swept aside by immediate corporate concerns.
Both Fedora and Red Hat will undoubtedly weather this crisis. It may even be that, as the Fedora board minutes optimistically assume, that the experience can be used to improve how Fedora and Red Hat interact when other problems arise.
Still, looking at how the crisis was handled, you might be forgiven for being pessimistic. If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies -- especially publicly-traded ones -- will act any better?
I'd like to think that Red Hat panicked or took bad advice. Perhaps it will show more respect to FOSS in the next crisis. But perhaps this example shows that FOSS attitudes and standards can only exist with accepted business practice when times are good -- and that, when a problem arises, FOSS becomes the first casualty.