Re: Bug#339837: Publishing more data could maybe help
On Tue, 25 Apr 2006, Francesco Poli wrote:
> On Tue, 25 Apr 2006 00:31:45 +0200 Javier Fernández-Sanguino Peña wrote:
> > I have asked a public interface to the stable security team in the
> > past to their data but it doesn't seem to be possible.
>
> I think that this should be changed, as the SC states:
>
> | 3. We will not hide problems
> | We will keep our entire bug report database open for public view
> | at all times. Reports that people file online will promptly
> | become visible to others.
>
> Even if the explanation talks about the BTS in particular, I think that
> the spirit of SC#3 should apply to other areas too (e.g. problems that
> are known to some DDs, but are not yet reported to the BTS).
Here we basically have two choices.
1. Certain people sign NDAs/agreements to get the early disclosure
information; in return they cannot disclose the information. We lose
transparency, but security bugs can be fixed before they're (widly)
known in the wild.
2. No one signs NDAs/agreements, we're transparent; we don't have the
information to publish in the BTS anyway, and the security bugs can't
be started to be fixed until after they're published.
Don Armstrong
--
She was alot like starbucks.
IE, generic and expensive.
-- hugh macleod http://www.gapingvoid.com/batch3.htm
http://www.donarmstrong.com http://rzlab.ucr.edu
Reply to: