While I can understand that the security team may want to receive problem reports in a secure manner and be able to scrutinise them first before going public, I am left at doubt if Debian is actually about full disclosure (which the social contract seems to suggest), or whether we accept the practise of delayed disclosure. For instance, in the Securing Manual, I find this (7.3): "However, security updates are a little more different than normal uploads sent by package maintainers since, in some cases, before being published they need to wait until they can be tested further, an advisory written, or need to wait for a week or more to avoid publicising the flaw until all vendors have had a reasonable chance to fix it." and later: "if the problem is severe (remote exploitable, possibility to gain root privileges) it is preferable to share the information with other vendors and coordinate a release. The security team keeps contacts with the various organizations and individuals and can take care of that." So far, I have been under the impression that Debian does not hide anything from its users. If a root exploit is out there, users want to know about it. Keeping it a secret is childish. So what is the official procedure of the security team? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature