Re: The New Security Build Infrastructure
On Wed, 19 Jun 2002, Florian Weimer wrote:
> Stephen Stafford <firstname.lastname@example.org> writes:
> >> By the way, handling security updates this way conflicts more and more
> >> with the Social Contract in its current form.
No, it does not. It is a subjective matter, and to many of us the way
security is being currently handled (need-to-know when it is required,
disclosure when hole is fixed) is indeed the best we can do for our users.
Would you care to explain how "handling security matters responsibly, in
order to keep open the very channels we need, so as to be more effective in
those matters" is a "problem" that we are "hinding from our users"?
If you cannot do that, then please stop wasting our time.
> Well, that time, it was generally assumed that the Debian won't take
> active measures to hide problems from its users. This is no longer
> the case.
Bullshit. Need-to-know in ongoing security issues, as long as the hole is
brought up to the general public's attention after it is fixed (or made
public by another party, or it is not going to be fixed) is NOT hiding a
problem from our users.
Now, if you ask the security team directly about "is foo vulnerable to the
bar exploit currently?" through the proper email address, and they do not
answer you, THAT would be an issue. But this has not happened yet AFAIK.
> > We either accept it, or we don't *get* the advance notice and chance
> > to release security updates. That *would* conflict with our social
> > contract as it would most definitely *not* be looking after the best
> > interests of our users.
> Maybe we should poll our users if they want to have Sun Java in main?
> RUS-CERT fax +49-711-685-5898
CERT takes need-to-know matters in security exactly the same way Debian
currently does. Why should we not act the same way CERT itself believes to
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org