Re: The New Security Build Infrastructure
On Wed, Jun 19, 2002 at 10:04:13AM +0200, Florian Weimer wrote:
> >> By the way, handling security updates this way conflicts more and
> >> more with the Social Contract in its current form.
> > Didn't we already *have* this flamewar recently?
> Well, that time, it was generally assumed that the Debian won't take
> active measures to hide problems from its users. This is no longer
> the case.
I think it's inevitable case of conflict between two clauses of Social
Contract: 3 (We Won't Hide Problems) and 4 (Our Priorities are Our Users
and Free Software). Given there is _no_ wording that will exclude _all_
possible conflicts of this kind, in each case of conflict we should make
a decision by weighing _both_ conflicting clauses, not by trying to 100%
satisfy _one_ of them.
In this case, I personally decide that _delaying_ non-indefinitely
security problem reports is a price worth to pay for being able to
deliver _timely_ security fixes. You can set up a vote on this
particular case, but please don't try to change the Social Contract each
time you encounter such conflict.
And, BTW, look at exact wording of clause 3:
We will keep our entire bug-report database open for public view at
all times. Reports that users file on-line will immediately become
visible to others.
I don't see how our security infrastructure affects either 1) bug-report
database, or 2) reports filed on-line by users.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org