Re: Proposal for *Real* Declassification of debian-private archives
* Daniel Ruoso:
>> This distinction is important because for years, security@debian.org
>> was an aliases for debian-private, and people who sent mail to that
>> address might be very surprised that it's subject to declassification
>> (and that it was sent to hundreds of Debian developers in the first
>> place).
>
> Even if it is a five years old message? I do think security problems
> released 5 years ago are already fixed, or are you talking about
> something else?
Some of these issues are certainly unfixed, and very, very few might
even be unpublished. It's unlikely that one of those has been sent to
Debian, though.
But anyway, we are dealing with *bugs*, and we have publicly
documented that we won't hide them, so this aspect is probably okay in
some twisted way. I'm not sure if such a move will be well-received
in the security community, though.
I also worry about security reports that include personally
identifiable information, trade (business?) secrets or copyrighted
material, which are not really relevant to the bug itself, but were
sent in with the expectation that this was a typical vendor security
contact. Publishing such things might get Debian into legal trouble,
especially if the publication was not requested by the original
author.
Reply to: