[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On Wed, Jun 19, 2002 at 10:04:13AM +0200, Florian Weimer wrote:
> >> By the way, handling security updates this way conflicts more and
> >> more with the Social Contract in its current form.
> > Didn't we already *have* this flamewar recently?
> Well, that time, it was generally assumed that the Debian won't take
> active measures to hide problems from its users.  This is no longer
> the case.

I think it's inevitable case of conflict between two clauses of Social
Contract: 3 (We Won't Hide Problems) and 4 (Our Priorities are Our Users
and Free Software). Given there is _no_ wording that will exclude _all_
possible conflicts of this kind, in each case of conflict we should make
a decision by weighing _both_ conflicting clauses, not by trying to 100%
satisfy _one_ of them.

In this case, I personally decide that _delaying_ non-indefinitely
security problem reports is a price worth to pay for being able to
deliver _timely_ security fixes. You can set up a vote on this
particular case, but please don't try to change the Social Contract each
time you encounter such conflict.

And, BTW, look at exact wording of clause 3:

     We will keep our entire bug-report database open for public view at
     all times. Reports that users file on-line will immediately become
     visible to others.

I don't see how our security infrastructure affects either 1) bug-report
database, or 2) reports filed on-line by users.

Dmitry Borodaenko

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: