On Nov 2, 2010, at 11:48, Jussi Kukkonen wrote: > On 11/02/2010 11:43 AM, Jeremiah Foster wrote: >> On Nov 1, 2010, at 20:03, Ryan Ware wrote: >>> >>> On Mon, Nov 1, 2010 at 10:51 AM, Jeremiah Foster >>> <[email protected]> wrote: >>>> >>>> My understanding with most Open Source projects is that bugs would >>>> never be hidden - the current policy, even if it applies to just >>>> one hardware vendor, seems to be in direct contradiction to the >>>> Linux Foundation claims to openness. I'd like to point out that the >>>> Linux Foundation bylaws state; "The purposes of this corporation >>>> include promoting, protecting, and standardizing Linux and open >>>> source software." >>> >>> Then your understanding is incorrect. >> >> Is it? >> >> Debian is one of the oldest Linux distros, the largest in terms of >> packages, and the most successful in terms of deployment if you count >> derivatives such as Ubuntu, Mint, etc. Here's their bug policy: >> http://www.debian.org/social_contract from which I quote; "We will >> keep our entire bug report database open for public view at all >> times." >> >> Fedora is also a large, highly successful Linux Distro, here is their >> policy: http://fedoraproject.org/wiki/Security/TrackingBugs I'll >> highlight a quote: "Parent bug is publicly viewable." >> >> The GNU project which comprises a significant portion of any Linux >> distribution, including MeeGo, also has an open bug policy. >> >> Gentoo's policy has an exception that they have a security embargo: >> http://www.gentoo.org/security/en/vulnerability-policy.xml Gentoo's >> policy is reasonable because they are aiming to protect their users >> from known zero day exploits which may directly affect users. It is >> interesting to note that other Open Source projects have also >> considered this policy, but rejected it as offering no real security >> advantage. >> >> I don't think my understanding is incorrect; Open Source projects >> have open bugtrackers. > > It is incorrect, at least with regard to distros.
Your statement has no basis in fact. There is not a single closed bug in Debian's BTS. Please point to a closed bug in Debian to back up your statement. > There are various ways > to deal with this and a very common approach is to keep selected bugs > closed (this is also a requirement for access to various vulnerability > information sources). If you are referring to the Vendor-sec mailing list: http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec then yes that is one of the "various ways" to deal with security bugs. But this list is not "closed"; "The mailing list is unmoderated, but requests for membership are manually vetted to ensure that only the target audience may join. This is done to avoid leaking the potentially sensitive discussions, as vendor-sec members often have access to information about vulnerabilities before they become public" > As an example, these distros embargo security information in some form: > * Debian There is a security team inside Debian and the Debian Developers reference document refers to the handling of security critical bugs; http://www.debian.org/doc/developers-reference/pkgs.html#bug-security To quote from that; http://www.debian.org/doc/developers-reference/pkgs.html#bug-security If this is what you are referring to, please note this is NOT the BTS, this is the separate Security Tracker, and even here that secrecy is limited. > * Gentoo I already identified Gentoo as imposing an embargo. > * Fedora > * Ubuntu > * Mint > That's five out of the five distros you mentioned. At least four last > ones use a bug tracking system in the same way meego does. If a bug is open in Debian, it is most likely open in Ubuntu since Ubuntu is quite close to Debian, and Mint is based on Ubuntu (moving to Debian) so that point is moot too. Fedora's policy needs more scrutiny, I'm not convinced it is as you say it is, I think it is closer to Debian's policy. > Whether MeeGo bugzilla is the right place for other limited access bugs > may be debatable. Arguing that vulnerability information embargo is an > uncommon policy among distros is just silly. That is not the argument. The argument was whether or not to close bugs in the bug tracking system. I argue this is the wrong thing to do. I also concede that some form of security embargo is warranted. These two positions are not mutually exclusive. Jeremiah _______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev
