Re: [gentoo-user] Secret bugs?

Mon, 24 Jan 2005 08:37:52 -0800



Ciaran McCreesh wrote:
On Mon, 24 Jan 2005 09:58:30 +0100 Xavier-Francois Roblot
<[EMAIL PROTECTED]> wrote:
| Hi, the last unstable version of evolution 2.0.3-r1 was released to
| fix bug #79183 according to the ChangeLog. Since I am a curious guy, I
| wanted to have a look at what this bug is. But when I search for it on
| bugs.gentoo.org, I get: | | You are not authorized to access bug #79183.

The bug will become open to the public as soon as we're allowed to do
so. Lemme explain the issue...

A fair number of security bugs come in via VendorSec. VendorSec's policy
on security bugs is to keep the bug details secret until all their
member distributions have released fixed versions. Gentoo is one of the
VendorSec member distributions, and as part of that we have to agree not
to publish details of security things we get from them until after the
deadline.

Yes it's a wonderful way to incite problems within the community. Not your fault, or gentoo's, obviously, but vendorsec is a machination of politics and I have difficulty seeing the benefit of their approach in any circumstance. I suppose I am at the extreme end of opinions on this topic, but whenever (politics > X) happens, I get frustrated.



You could argue that we shouldn't be involved in anything like this,
simply on principle. However, given the choice between giving our users
secure systems, or not knowing about security bugs *at all* for anything
up to several months after RedHat and Debian do, the decision was made
to keep certain bugs locked for a while if this was necessary for us to
see the bug information.

IMO, you have to decide on what is considered more important for the users and where gentoo's ideals lie. If engaging with vendorsec is _worth_ the irritation, then recognize that there is going to be a backlash from some members of the community. I believe that ideals (or approximations thereof) are only attainable if you try to implement them.

You may already be aware of the parallel discussion regarding vendorsec in the linux.kernel newsgroup.


_k

--
[email protected] mailing list

Reply via email to