[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Lars Wirzenius <liw@liw.fi> writes:

> I'm not opposed to amending the SC to say that security issues my be
> kept private for a limited time, but I'm not sure it's worth it.

Yup, this is where I'm at too.

> I especially would like to avoid anything that results in nitpicking
> details, either during a GR or in the future, about what is a security
> issue, what is a serious issue, and what is a limited time, and what
> punishments we should have for exceeding a time limit.


> In my opinion, we already follow the spirit of not hiding bugs. We do
> publish security issues. If anything, the SC might be amended to not
> specify details of how we achieve the not-hiding of bugs. For example,
> we don't track security bugs on bugs.debian.org (which is clearly "our
> bug database"), but in a separate tracker. Is that a violation of the
> SC as well? (That's a rhetorical question, and we will now commence a
> long discussion about it in 3, 2, 1...)

> As a constitutional document, the social contract should stick to
> project values, not how to implement those.

Yeah, I should have been clearer in my message: while I think that's a
reasonable policy if we want a policy, if we're going to change the
foundation document, I feel like we should just delegate this decision to
the DPL or their delegates (which in this case would be the security

But it does seem like a non-problem in that this is the first time I
recall it even coming up.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: