On Monday, January 09, 2017 09:00:58 PM Russ Allbery wrote: > Scott Kitterman <debian@kitterman.com> writes: > > On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote: > >> === BEGIN GR TEXT === > >> > >> Title: State exception for security bugs in Social Contract clause 3 > >> > >> 1. Debian has a longstanding practice of sharing information about > >> > >> serious security bugs with only the security team. This is so that > >> they can co-ordinate release of the information with other vendors. > >> > >> 2. The third clause of our Social Contract says that "We will not hide > >> > >> problems." However, the practice of embargoing information about > >> serious security bugs could be seen as the hiding of problems. > >> > >> 3. Resolve to append the following to clause 3 of the Social Contract: > >> An exception is made for serious security problems. Information > >> about these may be kept confidential for a limited period of time, > >> so that a release of information may be co-ordinated with other > >> vendors. > >> > >> === END GR TEXT === > > > > What is the definition of serious and what is the definition of limited? > > My preference would be to just reuse the distros disclosure policy, as > that's been hashed out in public among the security community and is used > by all the various Linux distributions. > > http://oss-security.openwall.org/wiki/mailing-lists/distros > > Please note that the maximum acceptable embargo period for issues > disclosed to these lists is 14 to 19 days, with embargoes longer than > 14 days (up to 19) allowed in case the issue is reported on a Thursday > or a Friday and the proposed coordinated disclosure date is thus > adjusted to fall on a Monday or a Tuesday. Please do not ask for a > longer embargo. In fact, embargo periods shorter than 7 days are > preferable. Please notify upstream projects/developers of the affected > software, other affected distro vendors, and/or affected Open Source > projects before notifying one of these mailing lists in order to > ensure that these other parties are OK with the maximum embargo period > that would apply (and if not, then you may have to delay your > notification to the mailing list), unless you're confident you'd > choose to ignore their preference anyway and disclose the issue > publicly soon as per the policy stated here. > > Note that this still lets you make exceptions if upstream wants a longer > embargo period (by holding off on notifying distros and contacting other > distributions out of band). It's hard to make this decision in advance > for everything; there are always challenging special circumstances. (I as > a DD would be fine with our security team making that call in exceptional > situations.) > > I don't think there's much point in defining serious. If we have a > disclosure policy, then it doesn't matter as much. I don't think this sort of thing is amenable to being specifically defined in a way that's really suitable for foundational documents. Has anyone ever seriously questioned the appropriateness of the Security Team's practices based on the Social Contract? I don't think we should be monkeying with the Social Contract to solve a non- problem. Scott K
Attachment:
signature.asc
Description: This is a digitally signed message part.