On Tue, Jan 10, 2017 at 07:30:23AM +0100, Moritz Mühlenhoff wrote: > Scott Kitterman <deb...@kitterman.com> wrote: > > Has anyone ever seriously questioned the appropriateness of the > > Security Team's practices based on the Social Contract? > > Not in the last 11 years since I'm around. If that came up before, Martin or > Wichert should know.
Man, Debian is just the _worse_ at hiding problems. Security issues? We hide them by announcing them on a dedicated mailing list. Now, it's true that we track security issues in a different, and it's private, which is in contradiction to what the social contract says: We will keep our entire bug report database open for public view at all times. Reports that people file online will promptly become visible to others. I'm not opposed to amending the SC to say that security issues my be kept private for a limited time, but I'm not sure it's worth it. I especially would like to avoid anything that results in nitpicking details, either during a GR or in the future, about what is a security issue, what is a serious issue, and what is a limited time, and what punishments we should have for exceeding a time limit. In my opinion, we already follow the spirit of not hiding bugs. We do publish security issues. If anything, the SC might be amended to not specify details of how we achieve the not-hiding of bugs. For example, we don't track security bugs on bugs.debian.org (which is clearly "our bug database"), but in a separate tracker. Is that a violation of the SC as well? (That's a rhetorical question, and we will now commence a long discussion about it in 3, 2, 1...) As a constitutional document, the social contract should stick to project values, not how to implement those. -- I want to build worthwhile things that might last. --joeyh
signature.asc
Description: PGP signature