Bug#129604: general: Social Contract: We Do Hide Problems

["Anthony DeRobertis" <asd@suespammers.org>]

Michael Stone writes: 

> On Sat, Jan 19, 2002 at 01:39:59PM -0500, Anthony DeRobertis wrote:
> > Can't we satisfy not disclosing the vulnerability and letting 
> > our users know by doing something like this: 
> >
> > 	Debian has been informed of a [<<type>>] vulnerability in
> > 	<<package>> [by <<someone>>]. We are preparing an updated
> > 	package, which will be available from security.debian.org
> > 	along with a DSA [on <<date>>].
>
> No. If the information was given in confidence then the recipients
> cannot in good conscience disclose *any* of the information. You can
> argue the point with those who originated the information, but not those
> who received it.

I suggested the above because I don't see why the people origonating the 
information would object. We should, of course, ask them first. 

Iff it becomes accepted policy in the security community for a vendor to do 
an announcement like the above, then we could make it our standard way of 
handling security problems, and document that on the web page. 

I don't want Debian left out in the cold by the security community! 

> --
> Mike Stone