On 14/01/17 01:25, Sean Whitton wrote: > Hello, > > On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote: >> Of course, I take it as my fault (maybe because I recognized Sean as >> quite active already in the project, overestimating his grip of our >> common practices and general views) that I didn't give enough >> background on similar experiences we had in the past (i.e. the long >> flamefest¹ that followed "Editorial amendments"² and that quite >> clearly delayed Sarge for over a year), which in turn explain why our >> community views GRs as something that should be very sparingly used. > > For the record, I do not take Gunnar to be at any fault here. However, > it is true that had Gunnar not expected my GR to be uncontroversial, I > probably wouldn't have proposed it. > > While I stand by my GR in principle, I agree with those who have said > that it is not worth spending time on something like this unless it's > going to pass without opposition. Since this GR /has/ turned out to be > quite controversial, I hereby withdraw it. > >> Now, the arguments that have been given so far regarding this topic >> are strong, and I do think I should have thought better my answers as >> an AM. I did feel a moral obligation to answer to this thread. I >> understand Sean must be frustrated by the lack of empathy to his drive >> for correcting reality impedance; maybe it should not be via an >> amendment to a foundation document, but by prominently enough >> (somebody please define "enough") clearly documenting that we adhere >> to reasonable embargo disclosure guidelines, such as the one mentioned >> by Russ. > > I just created this: https://wiki.debian.org/SocialContractFAQ > > My understanding of the policy that Russ linked to was that the security > team are de facto bound to that policy because all the other distros are > following it. Is that right? If so, it could be added to the new FAQ. > > After some polishing, maybe the WWW team could add a link to the new FAQ > from the Social Contract itself. That would adequately respond to the > reasons I had for proposing this GR: a newcomer who was particularly > concerned about transparency would soon find their way to this page.
Maybe there should be a note about how we handle embargoed vulnerabilities here: https://www.debian.org/security/faq Cheers, Emilio
