[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#129604: general: Social Contract: We Do Hide Problems



On Sat, Jan 19, 2002 at 03:28:00PM +0100, Noel Koethe wrote:
> On Sam, 19 Jan 2002, Fabian Fagerholm wrote:

> > >     d) enter an order with the blacksmith down the street who has an
> > >        non buggy lock, and can come fix it before you have your patch
> > >        kit in place.

> > Sorry, man, he's using the same lock mechanism as I am, just as buggy.
> > In fact, it's the same mechanism that most locksmiths have used for
> > years everywhere. So we agreed to fix it everywhere as soon as possible,
> > and not let the thieves know before it's done.

> But the thieves knows this problem already because they read the bugtraq
> news. The only person who didn't know this problem is the farmer.
> He think he is secure because his lock vendor has a sign:
> "We Won't Hide Problems
> We will keep our entire bug-report database open for public view at
> all times. Reports that users file on-line will immediately become
> visible to others."

Who said anything about removing security-related bug reports from the 
BTS?  Do you have an example of this happening?  I would be duly 
outraged to learn that someone was removing information from the BTS, 
security-related or not.

But that's not what's happening here.  We're not talking about reports 
filed by users; we're talking about security advisories received *in 
confidence* from organizations like CERT on the condition that we 
*don't* publicize the information before a predetermined time.  Are you 
saying that this idea of not "hiding problems" is so overridingly 
important that it's better for Debian to put itself in a position where 
*we don't get told* about such security flaws until the whole world -- 
including the black hats -- know about it?

It's one thing to keep quiet about a security hole when the information
is already public or there's a known exploit in the wild; and there's 
been disagreement in the past over the security team's policy in such 
cases of waiting for the build daemons before releasing advisories.  
It's another thing to cooperate with those providing us information in 
order to ensure they will continue to do so.

Steve Langasek
postmodern programmer

Attachment: pgpcM9hn7nLDm.pgp
Description: PGP signature


Reply to: