Re: Proposed GR: State exception for security bugs in Social Contract clause 3

To: debian-vote@lists.debian.org
Subject: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Sat, 14 Jan 2017 11:47:17 +0100
Message-id: <[🔎] 0bd3fda4-1a6b-0bd3-36c9-28674a435822@debian.org>
In-reply-to: <[🔎] 20170114002513.my3a6icd6d5cciqf@iris.silentflame.com>
References: <[🔎] 20170110020819.h7dyrqxvywotn22r@hephaestus.silentflame.com> <[🔎] 20170113173824.GA62440@gwolf.org> <[🔎] 20170114002513.my3a6icd6d5cciqf@iris.silentflame.com>

On 14/01/17 01:25, Sean Whitton wrote:
> Hello,
> 
> On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote:
>> Of course, I take it as my fault (maybe because I recognized Sean as
>> quite active already in the project, overestimating his grip of our
>> common practices and general views) that I didn't give enough
>> background on similar experiences we had in the past (i.e. the long
>> flamefest¹ that followed "Editorial amendments"² and that quite
>> clearly delayed Sarge for over a year), which in turn explain why our
>> community views GRs as something that should be very sparingly used.
> 
> For the record, I do not take Gunnar to be at any fault here.  However,
> it is true that had Gunnar not expected my GR to be uncontroversial, I
> probably wouldn't have proposed it.
> 
> While I stand by my GR in principle, I agree with those who have said
> that it is not worth spending time on something like this unless it's
> going to pass without opposition.  Since this GR /has/ turned out to be
> quite controversial, I hereby withdraw it.
> 
>> Now, the arguments that have been given so far regarding this topic
>> are strong, and I do think I should have thought better my answers as
>> an AM. I did feel a moral obligation to answer to this thread. I
>> understand Sean must be frustrated by the lack of empathy to his drive
>> for correcting reality impedance; maybe it should not be via an
>> amendment to a foundation document, but by prominently enough
>> (somebody please define "enough") clearly documenting that we adhere
>> to reasonable embargo disclosure guidelines, such as the one mentioned
>> by Russ.
> 
> I just created this: https://wiki.debian.org/SocialContractFAQ
> 
> My understanding of the policy that Russ linked to was that the security
> team are de facto bound to that policy because all the other distros are
> following it.  Is that right?  If so, it could be added to the new FAQ.
> 
> After some polishing, maybe the WWW team could add a link to the new FAQ
> from the Social Contract itself.  That would adequately respond to the
> reasons I had for proposing this GR: a newcomer who was particularly
> concerned about transparency would soon find their way to this page.

Maybe there should be a note about how we handle embargoed vulnerabilities here:

https://www.debian.org/security/faq

Cheers,
Emilio

Reply to:

References:
- Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Gunnar Wolf <gwolf@debian.org>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Next by Date: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Previous by thread: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Next by thread: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Index(es):
- Date
- Thread