Bug#129604: general: Social Contract: We Do Hide Problems

To: Sam Hartman <hartmans@debian.org>
Cc: 129604@bugs.debian.org, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Bug#129604: general: Social Contract: We Do Hide Problems
From: Ben Collins <bcollins@debian.org>
Date: Thu, 17 Jan 2002 11:34:10 -0500
Message-id: <[🔎] 20020117163410.GP5977@blimpo.internal.net>
Reply-to: Ben Collins <bcollins@debian.org>, 129604@bugs.debian.org
In-reply-to: <[🔎] tslelkpymk5.fsf@loggerhead.mekinok.com>
References: <[🔎] 20020116223248.14723.qmail@Mail.CERT.Uni-Stuttgart.DE> <[🔎] 20020117023535.GE5977@blimpo.internal.net> <[🔎] tslelkpymk5.fsf@loggerhead.mekinok.com>

On Thu, Jan 17, 2002 at 11:22:34AM -0500, Sam Hartman wrote:
> >>>>> "Ben" == Ben Collins <bcollins@debian.org> writes:
> 
>     Ben> You are misunderstanding two different circumstances.
>     Ben> Security alerts happen in two different ways:
> 
>     Ben> 1) The Author/Vendor/Security-Group discovers the
>     Ben> vulnerability in a closed situation. They want the
>     Ben> distribution vendors to have a chance to fix before making
>     Ben> the vulnerability know. So they cooperate. This is good, not
>     Ben> only for the distro vendors, but for their users.
> 
> I understand this circumstance fine.  Saying that it exists and even
> saying that it is ideal does not mean that it is consistent with the
> social contract.
> 
> I think this bug points out a real variance between the social
> contract and what we actually do.  You have not said anything that
> presents an argument against this position.  You have simply proposed
> that the current practice rather than the social contract is to be
> desired.
> 
> Perhaps you as DPL should introduce a resolution to fix the social
> contract if you believe that the current practice for incident type 1
> is correct.  You could probably even convince me to second such a GR.

I think your are confusin "hiding" with "good judgement". Hiding means
keeping it secret for extended, unwarranted periods for no other reason
than to give the appearance that there is no problem. How long after a
finding out about an exploit and announcing it would you consider not
hiding? 1 minute, 1 hour, 1 day, 1 week, 1 month? It's all
circumstantial, depending entirely on the situation. We don't "hide"
problems, we address the issues in a timely and intelligent manner.

I as a user would appreciate that if vendors find a problem, they fix it
before announcing it. If it takes them 6 months because they ignore the
problem, then that is bad. If it takes them a week to get their ducks in
a row, then it is worth it. The problem with security updates is that we
are usually following the hackers, trying to keep up with them. The one
instance where we have a chance to get ahead of them, we need to retain.

Ben

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/                   Ben Collins    --    Debian GNU/Linux                  \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Reply to:

Follow-Ups:
- Bug#129604: general: Social Contract: We Do Hide Problems
  - From: Sam Hartman <hartmans@MIT.EDU>

References:
- Bug#129604: general: Social Contract: We Do Hide Problems
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
- Bug#129604: general: Social Contract: We Do Hide Problems
  - From: Ben Collins <bcollins@debian.org>
- Bug#129604: general: Social Contract: We Do Hide Problems
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Re: A suggestion for the woody freeze
Next by Date: Bug#129604: general: Social Contract: We Do Hide Problems
Previous by thread: Bug#129604: general: Social Contract: We Do Hide Problems
Next by thread: Bug#129604: general: Social Contract: We Do Hide Problems
Index(es):
- Date
- Thread