On Sun, Aug 24, 2008 at 9:20 AM, Bruno Wolff III <bruno@xxxxxxxx> wrote: > The way the recent compromise was handled was not a good example of how a > truly open project should have handled such an incident. It took a week > before a statement was issued admitting a compromise. That should have > been part of the very first announcement. You want it handled better in the future? Then write a draft process that will withstand the scrutiny of legal on how to handle situations such as this as transparently as possible. Its easy to look back at this specific incident and second guess how it was handled. But that's not good enough to do that.. not even close. We aren't going to build a policy around the chatter over this one incident. If you want to see sensitive issues handled better in the future, than stand up a strawman for a transparent process that can be generally applied to sensitive issues. A transparent process that deals with legal issues must balance caution with disclosure. I believe that an incident response process itself can be transparent, even if the full details can not be publicly disclosed instantaneously due to legal constraint And rest assured that whatever process that is will never satisfy all disclosure demands. But if we as a community haven't put in the work to build a process that guides the actions taken in a crisis situation that meets legal constraints, then we as a community, have no right to sit back and second guess the actions of any individuals who have to stand in the middle of a crisis and make a judgement call. You want things to be better? You want to have the right to hold up the actions of our leadership to your opinions on how things should be done? Then create the process document which is meant to guide their actions before they have to step in and take action. If that process document doesn't meet legal scrutiny... then you get to do it again and again and again..until it does. I don't expect the first such draft to meet the necessary legal scrutiny. I expect that this will take non-trivial effort and a few rounds of dialogue to get legal and community on the same page as to what is achievable as a transparent process that doesn't trip over a legal landmine. And while I haven't talked to Paul personally about this, I'm pretty sure that he is between a rock and a hard place when it comes to satisfying both the perceived needs of community and the strictures of legal constraints in this matter. So are the other people who have been working on the infrastructure to resolve the issue. And we as a community are only going to make it easier for Paul or other leadership if we find a way to get a process document into the hands of Legal and start hammering how to handle this sort of crap with more transparency moving forward. To expect any individual to make a judgement call in the time of need that attempt to infer the consensous opinion of the larger community is ridiculous. Such consensus opinion must be formed and communicated before the need for action occurs. And if this community moves forward and starts to put a process document together, then those of you in the community who have had to deal with situations like this in the past, need to be involved..to educated those other people in the community who do not comprehend the nature of the legal constraints. I'm going to strongly suggest that if the first draft of such a transparent process document doesn't attempt to address the community's perception of what the legal constraints are..but instead reads as a bald demand for instant disclosure. Then you haven't done your jobs at creating an useful starting point for a dialogue on the issue.. and you'll have squandered an opportunity to increase process transparency. -jef -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
