Re: Bug#129604: general: Social Contract: We Do Hide Problems
* Julian Gilbey <J.D.Gilbey@qmul.ac.uk> [020117 01:40]:
> I would prefer this than to have some other distro release an
> announcement to the big wide world which says "There's a root
> compromise in package foo we've just discovered, here's how you do it
> and here's how to fix it", then for us to take 4 days to implement the
> patch, leaving everyone's machines vulnerable during this period.
>
> The delays are usually short, about 2-3 weeks or so, and as long as
> the compromise is kept very quiet for that limited period while a
> patch is developed, everyone is usually better off for it.
While I think it is not very good to have the exploit widely known,
I think users have an right to know that there is an exploit.
If it only where an message like "There seems to be <type of exploit>
in package <name>, we cooperate to have an fix in the next days,
consider switching off the service in the mean time, if possible
and wise in your situation".
Hochachtungsvoll,
Bernhard R. Link
Reply to: