[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Social Contract.



On Thu, 2002-01-17 at 02:15, T.J. Duchene wrote:
> Please excuse my appearing to barge in, as I am not yet a member of the 
> Debian Project, but it seems to me that the "no hide" part of the Debian 
> Contract is a statement of principle.
> 
> It should be honored.  By not honoring it, developers take the risk of 
> damaging Debian's reputation.  If a security hole endangers machines, 
> everyone needs to know, because I can assure you that the kind of people who 
> take advantage of them do not keep the secret from each other - often posting 
> holes publicly for others to see.

I would agree to the extent that immediate disclosure should be the goal
for handling received advisories. On the other hand, there are weighty
arguments for delaying in some cases. It seems appropriate to follow the
guidelines referred to on this list by John Robinson at
http://www.wiretrip.net/rfp/policy.html. 

Should we do so explicitly? Considering the high principles of Debian
and at the same time all the diverse elements of the security community,
adhering to certain guidelines for appropriate handling of security
advisories seems reasonable, as guidelines for disclosing security
related bugs or issues ASAP.

Of course the "no hide" clause of the contract is meant to apply for all
types of bugs, not just security-related ones. The intention clearly is
that we don't won't to hide the fact that there might be some problems
with getting some programmes to run properly in Debian, ie. no bugs in
the BTS are marked "hidden".

There is obviously a difference beteen security issues and bugs in the
way they are brought out attention. Security issues are not entered into
the BTS, but if they are (say by some user) then we wouldn't remove it.
(Would we?). On the other hand, when the security team receives word of
an issue, which will affect the security of Debian, then if they treat
that issue in accordance with the abovementioned ////// Full Disclosure
Policy (RFPolicy) v2.0 ////// and we explicitly state so, then there is
no conflict anymore. Is there?
-- 
Lars Bahner,
http://lars.bahner.com/

Nihil est sine ratione cur potius sit, quam non sit.

Attachment: pgpjVvWol89AH.pgp
Description: PGP signature


Reply to: