[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#129604: marked as done (general: Social Contract: We Do Hide Problems)



Your message dated Thu, 17 Jan 2002 01:30:09 +0100
with message-id <20020117003009.GJ28254@wiggy.net>
and subject line Bug#129604: general: Social Contract: We Do Hide Problems
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Jan 2002 22:34:41 +0000
>From Weimer@cert.uni-stuttgart.de Wed Jan 16 16:34:41 2002
Return-path: <Weimer@cert.uni-stuttgart.de>
Received: from mail.cert.uni-stuttgart.de [129.69.16.17] 
	by master.debian.org with smtp (Exim 3.12 1 (Debian))
	id 16Qydl-0000zT-00; Wed, 16 Jan 2002 16:34:41 -0600
Received: (qmail 14724 invoked by uid 1000); 16 Jan 2002 22:32:48 -0000
Message-ID: <[🔎] 20020116223248.14723.qmail@Mail.CERT.Uni-Stuttgart.DE>
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: general: Social Contract: We Do Hide Problems
X-Reportbug-Version: 1.41.1421
X-Mailer: reportbug 1.41.1421
Date: Wed, 16 Jan 2002 23:32:48 +0100
Delivered-To: submit@bugs.debian.org

Package: general
Version: N/A; reported 2002-01-16
Tags: security

Over the past few months, the GNU/Linux community has slowly adopted a
way of dealing with security issues which closely resembles the approach
suggested by Microsoft last year: more-or-less systematic hiding of
security problems from end users, at least for some time.

Some Debian maintainers seem to participate in this process, and hold
back security fixes, waiting for events to happen which are external
and not related to the Debian project (for example, other distributors
being ready to publish fixes).

I'm not sure if this approach is desirable, or has the intended effect.
However, I do think that it is conflicting with the third item of the
Social Contract: The promise, "We Won't Hide Problems", is not held.
(The following technical explanation is honored, though, such problem
reports never enter the Bug Tracking System before release.)

However, I do think that the Social Contract needs to reflect this
problem.  After all, the claim, "We Won't Hide Problems", gives the user
a false sense of security and openness.


---------------------------------------
Received: (at 129604-done) by bugs.debian.org; 17 Jan 2002 00:30:13 +0000
>From wichert@wiggy.net Wed Jan 16 18:30:13 2002
Return-path: <wichert@wiggy.net>
Received: from cabal.xs4all.nl (mx1.wiggy.net) [213.84.101.140] ([vdkoNT+Dz1c3QOBA831uLFJq4dh3zKXf])
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16R0RY-0000pd-00; Wed, 16 Jan 2002 18:30:12 -0600
Received: from wichert by mx1.wiggy.net with local (Exim 3.33 #1 (Debian))
	id 16R0RW-0006sK-00; Thu, 17 Jan 2002 01:30:10 +0100
Date: Thu, 17 Jan 2002 01:30:09 +0100
From: Wichert Akkerman <wichert@wiggy.net>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
	129604-done@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Message-ID: <20020117003009.GJ28254@wiggy.net>
References: <[🔎] 20020116223248.14723.qmail@Mail.CERT.Uni-Stuttgart.DE>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20020116223248.14723.qmail@Mail.CERT.Uni-Stuttgart.DE>
User-Agent: Mutt/1.3.24i
Delivered-To: 129604-done@bugs.debian.org

Previously Florian Weimer wrote:
> Over the past few months, the GNU/Linux community has slowly adopted a
> way of dealing with security issues which closely resembles the approach
> suggested by Microsoft last year: more-or-less systematic hiding of
> security problems from end users, at least for some time.

We haven't changed policy at all.

> Some Debian maintainers seem to participate in this process, and hold
> back security fixes, waiting for events to happen which are external
> and not related to the Debian project (for example, other distributors
> being ready to publish fixes).

It's either coordinating such advisories or not getting the information
at all which means we'll be much later then other distributors and
having less support for our users.

Wichert.

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Reply to: