Re: Proposal for *Real* Declassification of debian-private archives
* Kalle Kivimaa:
> Florian Weimer <email@example.com> writes:
>> Some of these issues are certainly unfixed, and very, very few might
>> even be unpublished. It's unlikely that one of those has been sent to
>> Debian, though.
> And if it has been sent to Debian and ignored, I'd say that our Social
> Contract _mandates_ us to publish it ("We do not hide problems" - not
> taking any action in _three_years_ is hiding).
It's inaction, not hiding. Secret bug trackers (which allegedly exist
nowadays) are hiding.
>> But anyway, we are dealing with *bugs*, and we have publicly
>> documented that we won't hide them, so this aspect is probably okay in
>> some twisted way. I'm not sure if such a move will be well-received
>> in the security community, though.
> I don't think any security watchlist has a three-year time limit
> between bug reporting and bug publishing. I may be wrong.
Many of the interesting security issues are never disclosed. You
shouldn't assume that disclosure is industry standard practice just
because some folks on BUGTRAQ like to play whack-the-vendor.
> This is a valid concern. I would think that the declassification team
> takes this into account. And as you can see from the proposal, we all
> have a veto on the declassification (the list is published first to
> the developers, who can then propose a GR - and I would think that
> valid, strong objections directly to the team would work even without
> a GR).
I cannot grasp how that would work. Sure, you could publish hashes of
the message in the GR, but this kind of partially secret GR is at odds
with the spirit of the Constitution.