Re: Proposal for *Real* Declassification of debian-private archives
Florian Weimer <firstname.lastname@example.org> writes:
> Some of these issues are certainly unfixed, and very, very few might
> even be unpublished. It's unlikely that one of those has been sent to
> Debian, though.
And if it has been sent to Debian and ignored, I'd say that our Social
Contract _mandates_ us to publish it ("We do not hide problems" - not
taking any action in _three_years_ is hiding).
> But anyway, we are dealing with *bugs*, and we have publicly
> documented that we won't hide them, so this aspect is probably okay in
> some twisted way. I'm not sure if such a move will be well-received
> in the security community, though.
I don't think any security watchlist has a three-year time limit
between bug reporting and bug publishing. I may be wrong.
> I also worry about security reports that include personally
> identifiable information, trade (business?) secrets or copyrighted
> material, which are not really relevant to the bug itself, but were
> sent in with the expectation that this was a typical vendor security
> contact. Publishing such things might get Debian into legal trouble,
> especially if the publication was not requested by the original
This is a valid concern. I would think that the declassification team
takes this into account. And as you can see from the proposal, we all
have a veto on the declassification (the list is published first to
the developers, who can then propose a GR - and I would think that
valid, strong objections directly to the team would work even without
* Sufficiently advanced magic is indistinguishable from technology (T.P) *
* PGP public key available @ http://www.iki.fi/killer *