On Thu, 2002-01-17 at 02:15, T.J. Duchene wrote: > Please excuse my appearing to barge in, as I am not yet a member of the > Debian Project, but it seems to me that the "no hide" part of the Debian > Contract is a statement of principle. > > It should be honored. By not honoring it, developers take the risk of > damaging Debian's reputation. If a security hole endangers machines, > everyone needs to know, because I can assure you that the kind of people who > take advantage of them do not keep the secret from each other - often posting > holes publicly for others to see. I would agree to the extent that immediate disclosure should be the goal for handling received advisories. On the other hand, there are weighty arguments for delaying in some cases. It seems appropriate to follow the guidelines referred to on this list by John Robinson at http://www.wiretrip.net/rfp/policy.html. Should we do so explicitly? Considering the high principles of Debian and at the same time all the diverse elements of the security community, adhering to certain guidelines for appropriate handling of security advisories seems reasonable, as guidelines for disclosing security related bugs or issues ASAP. Of course the "no hide" clause of the contract is meant to apply for all types of bugs, not just security-related ones. The intention clearly is that we don't won't to hide the fact that there might be some problems with getting some programmes to run properly in Debian, ie. no bugs in the BTS are marked "hidden". There is obviously a difference beteen security issues and bugs in the way they are brought out attention. Security issues are not entered into the BTS, but if they are (say by some user) then we wouldn't remove it. (Would we?). On the other hand, when the security team receives word of an issue, which will affect the security of Debian, then if they treat that issue in accordance with the abovementioned ////// Full Disclosure Policy (RFPolicy) v2.0 ////// and we explicitly state so, then there is no conflict anymore. Is there? -- Lars Bahner, http://lars.bahner.com/ Nihil est sine ratione cur potius sit, quam non sit.
Description: PGP signature