[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Am 13. Januar 2017 06:17:48 GMT+08:00 schrieb Philip Hands <phil@hands.com>:
>Scott Kitterman <debian@kitterman.com> writes:
>> On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote:
>>> Hello,
>>> On Thu, Jan 12, 2017 at 03:11:46AM +0000, Scott Kitterman wrote:
>>> > Here's an example of possible unintended consequences:
>>> > 
>>> > Currently we enumerate no specifics about exceptions to when
>>> > should be public.  Once we have a foundational list of acceptable
>>> > reasons to not be public (security would be the only one), then
>>> > easy to infer that's the complete list.
>>> > 
>>> > Would this GR prohibit the tech ctte practice of private
>>> > about recommendations for new members?  I think it might.
>>> > 
>>> > I've worked in private with other DDs to resolve disputes within
>>> > project.  Often a quiet conversation out of the public glare can
>>> > solutions possible that wouldn't happen if all discussion was
>>> > Does this GR prohibit that?  Maybe.
>>> Thank you for your e-mail -- I now understand your objection.
>>> All the other wording in clause 3 is about bug reports against the
>>> Debian system.  The examples that you give are about unresolved
>>> in the Debian project -- disputes between people, rather than
>>> in source and binary packages.  I find the line between the Debian
>>> system and the Debian project to be fairly sharp.  I'd be interested
>>> hear if you disagree.
>>> The header of clause 3 ("We will not hide problems") admittedly
>>> refer to your examples.  Would it help if my GR text were amended to
>>> append "in the Debian system" to the header of the clause?
>> That then has the opposite problem.  It clearly narrows the notion of
>> hiding problems and I don't think that's good either.
>> I'm still at don't monkey with foundational documents to solve
>> non-problems.
>I'm yet to be convinced that there exists anyone that would be upset by
>the fact that our security team might abide by embargoes in supposed
>defiance of 'not hide problems'.  I am also not convinced that if there
>does exist such a person, and they are capable of becoming upset enough
>about it to be driven away from Debian, that that would be a great
>Cheers, Phil.

Seems that topic has been previously discussed already: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129604

(just came across that bug by purechange yesterday)
Tobias Frost
GPG fingerprint: 13C9 04F0 CE08 5E7C 3630 7985 DECF 849A A635 7FB7

Reply to: