[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

full disclosure, or not?

While I can understand that the security team may want to receive
problem reports in a secure manner and be able to scrutinise them
first before going public, I am left at doubt if Debian is actually
about full disclosure (which the social contract seems to suggest),
or whether we accept the practise of delayed disclosure. For
instance, in the Securing Manual, I find this (7.3):

"However, security updates are a little more different than normal
uploads sent by package maintainers since, in some cases, before
being published they need to wait until they can be tested further,
an advisory written, or need to wait for a week or more to avoid
publicising the flaw until all vendors have had a reasonable chance
to fix it."

and later:

"if the problem is severe (remote exploitable, possibility to gain
root privileges) it is preferable to share the information with
other vendors and coordinate a release. The security team keeps
contacts with the various organizations and individuals and can take
care of that."

So far, I have been under the impression that Debian does not hide
anything from its users. If a root exploit is out there, users want
to know about it. Keeping it a secret is childish.

So what is the official procedure of the security team?

Please do not CC me when replying to lists; I read them!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: