Bug#129604: general: Social Contract: We Do Hide Problems
On Wed, Jan 16, 2002 at 11:32:48PM +0100, Florian Weimer wrote:
> Over the past few months, the GNU/Linux community has slowly adopted a
> way of dealing with security issues which closely resembles the approach
> suggested by Microsoft last year: more-or-less systematic hiding of
> security problems from end users, at least for some time.
>
> Some Debian maintainers seem to participate in this process, and hold
> back security fixes, waiting for events to happen which are external
> and not related to the Debian project (for example, other distributors
> being ready to publish fixes).
>
> I'm not sure if this approach is desirable, or has the intended effect.
> However, I do think that it is conflicting with the third item of the
> Social Contract: The promise, "We Won't Hide Problems", is not held.
> (The following technical explanation is honored, though, such problem
> reports never enter the Bug Tracking System before release.)
>
> However, I do think that the Social Contract needs to reflect this
> problem. After all, the claim, "We Won't Hide Problems", gives the user
> a false sense of security and openness.
I would prefer this than to have some other distro release an
announcement to the big wide world which says "There's a root
compromise in package foo we've just discovered, here's how you do it
and here's how to fix it", then for us to take 4 days to implement the
patch, leaving everyone's machines vulnerable during this period.
The delays are usually short, about 2-3 weeks or so, and as long as
the compromise is kept very quiet for that limited period while a
patch is developed, everyone is usually better off for it.
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, Debian GNU/Linux Developer
Queen Mary, Univ. of London see http://people.debian.org/~jdg/
http://www.maths.qmul.ac.uk/~jdg/ or http://www.debian.org/
Visit http://www.thehungersite.com/ to help feed the hungry
Reply to: