Bug#129604: general: Social Contract: We Do Hide Problems

[Sam Hartman <hartmans@debian.org>]

>>>>> "Ben" == Ben Collins <bcollins@debian.org> writes:

    Ben> You are misunderstanding two different circumstances.
    Ben> Security alerts happen in two different ways:

    Ben> 1) The Author/Vendor/Security-Group discovers the
    Ben> vulnerability in a closed situation. They want the
    Ben> distribution vendors to have a chance to fix before making
    Ben> the vulnerability know. So they cooperate. This is good, not
    Ben> only for the distro vendors, but for their users.

I understand this circumstance fine.  Saying that it exists and even
saying that it is ideal does not mean that it is consistent with the
social contract.

I think this bug points out a real variance between the social
contract and what we actually do.  You have not said anything that
presents an argument against this position.  You have simply proposed
that the current practice rather than the social contract is to be
desired.

Perhaps you as DPL should introduce a resolution to fix the social
contract if you believe that the current practice for incident type 1
is correct.  You could probably even convince me to second such a GR.