On Sat, Jan 19, 2002 at 03:28:00PM +0100, Noel Koethe wrote: > On Sam, 19 Jan 2002, Fabian Fagerholm wrote: > > > d) enter an order with the blacksmith down the street who has an > > > non buggy lock, and can come fix it before you have your patch > > > kit in place. > > Sorry, man, he's using the same lock mechanism as I am, just as buggy. > > In fact, it's the same mechanism that most locksmiths have used for > > years everywhere. So we agreed to fix it everywhere as soon as possible, > > and not let the thieves know before it's done. > But the thieves knows this problem already because they read the bugtraq > news. The only person who didn't know this problem is the farmer. > He think he is secure because his lock vendor has a sign: > "We Won't Hide Problems > We will keep our entire bug-report database open for public view at > all times. Reports that users file on-line will immediately become > visible to others." Who said anything about removing security-related bug reports from the BTS? Do you have an example of this happening? I would be duly outraged to learn that someone was removing information from the BTS, security-related or not. But that's not what's happening here. We're not talking about reports filed by users; we're talking about security advisories received *in confidence* from organizations like CERT on the condition that we *don't* publicize the information before a predetermined time. Are you saying that this idea of not "hiding problems" is so overridingly important that it's better for Debian to put itself in a position where *we don't get told* about such security flaws until the whole world -- including the black hats -- know about it? It's one thing to keep quiet about a security hole when the information is already public or there's a known exploit in the wild; and there's been disagreement in the past over the security team's policy in such cases of waiting for the build daemons before releasing advisories. It's another thing to cooperate with those providing us information in order to ensure they will continue to do so. Steve Langasek postmodern programmer
Attachment:
pgpKiTYC8pFmA.pgp
Description: PGP signature