Bug#129604: general: Social Contract: We Do Hide Problems
On Sat, Jan 19, 2002 at 01:39:59PM -0500, Anthony DeRobertis wrote:
> Can't we satisfy not disclosing the vulnerability and letting
> our users know by doing something like this:
> Debian has been informed of a [<<type>>] vulnerability in
> <<package>> [by <<someone>>]. We are preparing an updated
> package, which will be available from security.debian.org
> along with a DSA [on <<date>>].
No. If the information was given in confidence then the recipients
cannot in good conscience disclose *any* of the information. You can
argue the point with those who originated the information, but not those
who received it.