[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#339837: Publishing more data could maybe help

On Tue, 25 Apr 2006, Francesco Poli wrote:
> On Tue, 25 Apr 2006 00:31:45 +0200 Javier Fernández-Sanguino Peña wrote:
> > I have asked a public interface to the stable security team in the
> > past to their data but it doesn't seem to be possible.
> 
> I think that this should be changed, as the SC states:
> 
> |   3. We will not hide problems
> |      We will keep our entire bug report database open for public view
> |      at all times. Reports that people file online will promptly
> |      become visible to others.
> 
> Even if the explanation talks about the BTS in particular, I think that
> the spirit of SC#3 should apply to other areas too (e.g. problems that
> are known to some DDs, but are not yet reported to the BTS).

Here we basically have two choices.

1. Certain people sign NDAs/agreements to get the early disclosure
information; in return they cannot disclose the information. We lose
transparency, but security bugs can be fixed before they're (widly)
known in the wild.

2. No one signs NDAs/agreements, we're transparent; we don't have the
information to publish in the BTS anyway, and the security bugs can't
be started to be fixed until after they're published.


Don Armstrong

-- 
She was alot like starbucks.
IE, generic and expensive.
 -- hugh macleod http://www.gapingvoid.com/batch3.htm

http://www.donarmstrong.com              http://rzlab.ucr.edu
Reply to: