Re: Proposed GR: State exception for security bugs in Social Contract clause 3
On 14/01/17 01:25, Sean Whitton wrote:
> Hello,
>
> On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote:
>> Of course, I take it as my fault (maybe because I recognized Sean as
>> quite active already in the project, overestimating his grip of our
>> common practices and general views) that I didn't give enough
>> background on similar experiences we had in the past (i.e. the long
>> flamefest¹ that followed "Editorial amendments"² and that quite
>> clearly delayed Sarge for over a year), which in turn explain why our
>> community views GRs as something that should be very sparingly used.
>
> For the record, I do not take Gunnar to be at any fault here. However,
> it is true that had Gunnar not expected my GR to be uncontroversial, I
> probably wouldn't have proposed it.
>
> While I stand by my GR in principle, I agree with those who have said
> that it is not worth spending time on something like this unless it's
> going to pass without opposition. Since this GR /has/ turned out to be
> quite controversial, I hereby withdraw it.
>
>> Now, the arguments that have been given so far regarding this topic
>> are strong, and I do think I should have thought better my answers as
>> an AM. I did feel a moral obligation to answer to this thread. I
>> understand Sean must be frustrated by the lack of empathy to his drive
>> for correcting reality impedance; maybe it should not be via an
>> amendment to a foundation document, but by prominently enough
>> (somebody please define "enough") clearly documenting that we adhere
>> to reasonable embargo disclosure guidelines, such as the one mentioned
>> by Russ.
>
> I just created this: https://wiki.debian.org/SocialContractFAQ
>
> My understanding of the policy that Russ linked to was that the security
> team are de facto bound to that policy because all the other distros are
> following it. Is that right? If so, it could be added to the new FAQ.
>
> After some polishing, maybe the WWW team could add a link to the new FAQ
> from the Social Contract itself. That would adequately respond to the
> reasons I had for proposing this GR: a newcomer who was particularly
> concerned about transparency would soon find their way to this page.
Maybe there should be a note about how we handle embargoed vulnerabilities here:
https://www.debian.org/security/faq
Cheers,
Emilio
Reply to: