Re: Bug#129604: general: Social Contract: We Do Hide Problems
On Fri, 2002-01-18 at 08:20, Lars Bahner wrote:
>
> This doesn't cut the cheese. If, say, ``vsftpd'' i bugged with a remote
> root exploit with no patch in sight then I want to know, so I can remove
> this application system. I you know of such a hole and you are not
> telling me, then you are hiding the problem from me. This simple and
> really can't be argued.
>
> There is a problem and your are not telling. Your motive may be good,
> but your action is "hiding the problem'' from me. Indeed, you are
> deceiving me. I believe there is nothing wrong with ``vsftpd'' and you
> are hiding from me the fact that it isn't.
>
> The minute security is notified of a hole the hiding starts, unless an
> announcement is sent out.
Actually, technically, the hiding starts the moment the security team
reads the advisory. In the few minutes it takes them to forward the
message, write an advisory, whatever, they are depriving us of the
knowledge they have. Isn't that "hiding" it? Should we force the
security team to auto-forward all security reports to debian-devel,
because requiring manual intervention is tantamount to hiding the
problem?
I doubt any of us would go that far. Most everyone is willing to
concede a certain amount of "reasonable" preparation time to the
security team.
So why isn't it "reasonable" for participants on a vendor disclosure
list to wait for slower vendors to get their act together before
disclosing - especially if doing so is a prerequisite for getting access
to the list in the first place? Would you rather be blindsided by
security advisories, or see Debian get a reputation for "being a few
days behind the *real* distributions"?
Or, why isn't it "reasonable" for vendors to wait until fixes are
available, in case some poor business out there doesn't have the luxury
of, say, shutting down Apache (and therefore their online ordering
system) on a whim?
Reply to: