Re: The New Security Build Infrastructure

To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Cc: debian-devel@lists.debian.org
Subject: Re: The New Security Build Infrastructure
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 19 Jun 2002 09:27:32 -0300
Message-id: <[🔎] 20020619092732.A3573@khazad-dum>
In-reply-to: <[🔎] 87y9dbpucs.fsf@CERT.Uni-Stuttgart.DE>; from Weimer@CERT.Uni-Stuttgart.DE on Qua, Jun 19, 2002 at 10:04:35 +0200
References: <20020608082646.GA14111@azure.humbug.org.au> <[🔎] 87vg8to3ng.fsf@CERT.Uni-Stuttgart.DE> <[🔎] 20020608215616.GA22045@clothcat.demon.co.uk> <[🔎] 87y9dbpucs.fsf@CERT.Uni-Stuttgart.DE>

On Wed, 19 Jun 2002, Florian Weimer wrote:
> Stephen Stafford <stephen@clothcat.demon.co.uk> writes:
> >> By the way, handling security updates this way conflicts more and more
> >> with the Social Contract in its current form.

No, it does not.  It is a subjective matter, and to many of us the way
security is being currently handled (need-to-know when it is required,
disclosure when hole is fixed) is indeed the best we can do for our users.

Would you care to explain how "handling security matters responsibly, in
order to keep open the very channels we need, so as to be more effective in
those matters" is a "problem" that we are "hinding from our users"?

If you cannot do that, then please stop wasting our time.

> Well, that time, it was generally assumed that the Debian won't take
> active measures to hide problems from its users.  This is no longer
> the case.

Bullshit.  Need-to-know in ongoing security issues, as long as the hole is
brought up to the general public's attention after it is fixed (or made
public by another party, or it is not going to be fixed) is NOT hiding a
problem from our users.

Now, if you ask the security team directly about "is foo vulnerable to the
bar exploit currently?" through the proper email address, and they do not
answer you, THAT would be an issue.  But this has not happened yet AFAIK.

> > We either accept it, or we don't *get* the advance notice and chance
> > to release security updates.  That *would* conflict with our social
> > contract as it would most definitely *not* be looking after the best
> > interests of our users.
> 
> Maybe we should poll our users if they want to have Sun Java in main?

Stop trolling.

> RUS-CERT                          fax +49-711-685-5898

CERT takes need-to-know matters in security exactly the same way Debian
currently does.  Why should we not act the same way CERT itself believes to
be best?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: The New Security Build Infrastructure
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: The New Security Build Infrastructure
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
- Re: The New Security Build Infrastructure
  - From: Stephen Stafford <stephen@clothcat.demon.co.uk>
- Re: The New Security Build Infrastructure
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Prev by Date: Re: The New Security Build Infrastructure
Next by Date: Re: The New Security Build Infrastructure
Previous by thread: Re: The New Security Build Infrastructure
Next by thread: Re: The New Security Build Infrastructure
Index(es):
- Date
- Thread