[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Social Contract.



On Wed, Jan 16, 2002 at 07:15:09PM -0600, T.J. Duchene wrote:
> Please excuse my appearing to barge in, as I am not yet a member of the 
> Debian Project, but it seems to me that the "no hide" part of the Debian 
> Contract is a statement of principle.

>  It should be honored.  By not honoring it, developers take the risk
> of damaging Debian's reputation.  If a security hole endangers
> machines, everyone needs to know, because I can assure you that the
> kind of people who take advantage of them do not keep the secret
> from each other - often posting holes publicly for others to see.

OK.  Let's get this clear:

Vendors and/or authors of software discover security holes sometimes.
They currently tell the debian security team about it, so we can
prepare fixes.

If the debian security team were not prepared to keep them secret for
an agreed (short) amount of time, then they would not be informed
about them *at* *all*.

Which is better?

a) That debian, believing it shouldn't hide things, becomes the least
secure linux distribution because it is the only one the vendors don't 
send security advisories to.

b) Debian participates in the scheme, and has security fixes promptly
just like the other OSes.

Jules



Reply to: