[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Tue, Jan 10, 2017 at 07:30:23AM +0100, Moritz Mühlenhoff wrote:
> Scott Kitterman <debian@kitterman.com> wrote:
> > Has anyone ever seriously questioned the appropriateness of the
> > Security Team's practices based on the Social Contract?
> Not in the last 11 years since I'm around. If that came up before, Martin or
> Wichert should know.

Man, Debian is just the _worse_ at hiding problems. Security issues?
We hide them by announcing them on a dedicated mailing list.

Now, it's true that we track security issues in a different, and
it's private, which is in contradiction to what the social contract

    We will keep our entire bug report database open for public view
    at all times. Reports that people file online will promptly become
    visible to others.

I'm not opposed to amending the SC to say that security issues my be
kept private for a limited time, but I'm not sure it's worth it. I
especially would like to avoid anything that results in nitpicking
details, either during a GR or in the future, about what is a security
issue, what is a serious issue, and what is a limited time, and what
punishments we should have for exceeding a time limit.

In my opinion, we already follow the spirit of not hiding bugs. We do
publish security issues. If anything, the SC might be amended to not
specify details of how we achieve the not-hiding of bugs. For example,
we don't track security bugs on bugs.debian.org (which is clearly "our
bug database"), but in a separate tracker. Is that a violation of the
SC as well? (That's a rhetorical question, and we will now commence a
long discussion about it in 3, 2, 1...)

As a constitutional document, the social contract should stick to
project values, not how to implement those.

I want to build worthwhile things that might last. --joeyh

Attachment: signature.asc
Description: PGP signature

Reply to: