Lars Wirzenius <[email protected]> writes: > I'm not opposed to amending the SC to say that security issues my be > kept private for a limited time, but I'm not sure it's worth it.
Yup, this is where I'm at too. > I especially would like to avoid anything that results in nitpicking > details, either during a GR or in the future, about what is a security > issue, what is a serious issue, and what is a limited time, and what > punishments we should have for exceeding a time limit. Indeed. > In my opinion, we already follow the spirit of not hiding bugs. We do > publish security issues. If anything, the SC might be amended to not > specify details of how we achieve the not-hiding of bugs. For example, > we don't track security bugs on bugs.debian.org (which is clearly "our > bug database"), but in a separate tracker. Is that a violation of the > SC as well? (That's a rhetorical question, and we will now commence a > long discussion about it in 3, 2, 1...) > As a constitutional document, the social contract should stick to > project values, not how to implement those. Yeah, I should have been clearer in my message: while I think that's a reasonable policy if we want a policy, if we're going to change the foundation document, I feel like we should just delegate this decision to the DPL or their delegates (which in this case would be the security team). But it does seem like a non-problem in that this is the first time I recall it even coming up. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
