Bug#129604: general: Social Contract: We Do Hide Problems

[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>]

Package: general
Version: N/A; reported 2002-01-16
Tags: security

Over the past few months, the GNU/Linux community has slowly adopted a
way of dealing with security issues which closely resembles the approach
suggested by Microsoft last year: more-or-less systematic hiding of
security problems from end users, at least for some time.

Some Debian maintainers seem to participate in this process, and hold
back security fixes, waiting for events to happen which are external
and not related to the Debian project (for example, other distributors
being ready to publish fixes).

I'm not sure if this approach is desirable, or has the intended effect.
However, I do think that it is conflicting with the third item of the
Social Contract: The promise, "We Won't Hide Problems", is not held.
(The following technical explanation is honored, though, such problem
reports never enter the Bug Tracking System before release.)

However, I do think that the Social Contract needs to reflect this
problem.  After all, the claim, "We Won't Hide Problems", gives the user
a false sense of security and openness.