Re: Bug#129604: general: Social Contract: We Do Hide Problems
On Sat, 2002-01-19 at 16:28, Noel Koethe wrote:
> But the thieves knows this problem already because they read the bugtraq
> news. The only person who didn't know this problem is the farmer.
> He think he is secure because his lock vendor has a sign:
> "We Won't Hide Problems
> We will keep our entire bug-report database open for public view at
> all times. Reports that users file on-line will immediately become
> visible to others."
Yes, but please read again:
"We will keep our entire //bug-report database// open for public..."
"Reports that //users file on-line// will immediately become..."
That means
1. The BTS and the information in it is publicly accessible.
2. Information submitted to the BTS will go there immediately (ie. the
BTS is unmoderated, there is no human intervention).
It does NOT say, "whenever we receive any piece of information, this
will be disseminated to the public".
Two notes.
1. This thread has made it sound like I favour a non-public approach to
security issues. This is not the case. In the default case, I think the
information should be released to the public without delay. But there
are some special situations where it can be beneficial for security not
to release the information until certain conditions are met.
2. "Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law." See also the section "NO WARRANTY",
paragraphs 11 and 12 of the GPL, section 10 of the Artistic License or
the section on warranty of the BSD-style license, which I think are the
three most common licenses under which software included in Debian is
distributed. There is no guarantee that Debian is totally secure in all
respects, and the reasonable efforts to fix security issues that we do
have does not replace a security-conscious sysadmin. Security is not
plug-and-play.
Cheers,
fabbe
Reply to: