Re: Proposed GR: State exception for security bugs in Social Contract clause 3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2017-01-14 11:49, Ben Finney wrote: > Sean Whitton writes: > >> While I stand by my GR in principle, I agree with those who have >> said that it is not worth spending time on something like this >> unless it's going to

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Thank you to Russ and Ben for the encouragement! On Sat, Jan 14, 2017 at 08:48:40AM +, Ian Campbell wrote: > You should read up on Coordinated (or Responsible) Disclosure vs. Full > Disclosure (not an uncontroversial topic in itself), the choice of > which one is used for a given bug is

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Sean Whitton writes: > While I stand by my GR in principle, I agree with those who have said > that it is not worth spending time on something like this unless it's > going to pass without opposition. Since this GR /has/ turned out to be > quite controversial, I hereby

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On 14/01/17 01:25, Sean Whitton wrote: > Hello, > > On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote: >> Of course, I take it as my fault (maybe because I recognized Sean as >> quite active already in the project, overestimating his grip of our >> common practices and general views)

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Fri, 2017-01-13 at 17:25 -0700, Sean Whitton wrote: > > My understanding of the policy that Russ linked to was that the security > team are de facto bound to that policy because all the other distros are > following it.  Is that right?  If so, it could be added to the new FAQ. You should read

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Sean Whitton writes: > For the record, I do not take Gunnar to be at any fault here. However, > it is true that had Gunnar not expected my GR to be uncontroversial, I > probably wouldn't have proposed it. > While I stand by my GR in principle, I agree with those who

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Thu, Jan 12, 2017 at 04:39:05PM -0500, Scott Kitterman wrote: > That then has the opposite problem. It clearly narrows the notion of not > hiding problems and I don't think that's good either. Good point. > P.S. I am subscribed. Please don't cc me. Whoops, sorry about that. -- Sean

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Hello, On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote: > Of course, I take it as my fault (maybe because I recognized Sean as > quite active already in the project, overestimating his grip of our > common practices and general views) that I didn't give enough > background on similar

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Sean Whitton dijo [Mon, Jan 09, 2017 at 07:08:19PM -0700]: > Title: State exception for security bugs in Social Contract clause 3 > (...) I have been following this thread, and although four days might not seem like a long time, I feel that me comenting here is due. In this thread, Martin Bagge

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Tobias Frost writes ("Re: Proposed GR: State exception for security bugs in Social Contract clause 3"): > Seems that topic has been previously discussed already: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129604 Good grief. If it really is necessary to to make th

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Am 13. Januar 2017 06:17:48 GMT+08:00 schrieb Philip Hands : >Scott Kitterman writes: > >> On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote: >>> Hello, >>> >>> On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote: >>> > Here's an

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Scott Kitterman writes: > On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote: >> Hello, >> >> On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote: >> > Here's an example of possible unintended consequences: >> > >> > Currently we enumerate no

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote: > Hello, > > On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote: > > Here's an example of possible unintended consequences: > > > > Currently we enumerate no specifics about exceptions to when things > > should be public.

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On January 11, 2017 4:47:30 PM EST, Sean Whitton wrote: >Hello Scott, > >On Tue, Jan 10, 2017 at 07:04:02PM -0500, Scott Kitterman wrote: >> Yes, but all your proposed GR does is move the problem one definition >> to the right. > >I don't follow this objection. The

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Hello Scott, On Tue, Jan 10, 2017 at 07:04:02PM -0500, Scott Kitterman wrote: > Yes, but all your proposed GR does is move the problem one definition > to the right. I don't follow this objection. The SC is not meant to contain exhaustive details of policies. At present, though, I think it

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Hello, On Wed, Jan 11, 2017 at 09:17:27AM +0100, Joerg Jaspert wrote: > Also, this is IMO nothing for a foundational document. But some docs > around it as explanation on how real world handles things. Do we have such a doc right now? Possibly somewhere on the wiki I'm unaware of? -- Sean

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Scott Kitterman writes ("Re: Proposed GR: State exception for security bugs in Social Contract clause 3"): > What is the definition of serious and what is the definition of limited? It is excellent that Sean's proposal for the SC leaves that vague. Of course we may want to actua

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On 14549 March 1977, Sean Whitton wrote: > No-one who understands how GNU/Linux distributions work thinks that > there is anything problematic about short-term embargos of information > about serious security bugs. However, the SC is not just for those > people: it's also something for newcomers

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2017-01-10 07:49, Lars Wirzenius wrote: > I'm not opposed to amending the SC to say that security issues my > be kept private for a limited time, but I'm not sure it's worth > it. This. Hear hear. > I especially would like to avoid anything

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Tuesday, January 10, 2017 04:45:36 PM Sean Whitton wrote: > Hello, > > In my original proposal e-mail, I should have said more about why I > think this is a good idea. My apologies for not having done so. > > No-one who understands how GNU/Linux distributions work thinks that > there is

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Hello, In my original proposal e-mail, I should have said more about why I think this is a good idea. My apologies for not having done so. No-one who understands how GNU/Linux distributions work thinks that there is anything problematic about short-term embargos of information about serious

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Scott Kitterman writes: > I don't think we should be monkeying with the Social Contract to solve a non- > problem. I agree. Bdale signature.asc Description: PGP signature

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Lars Wirzenius writes: > I'm not opposed to amending the SC to say that security issues my be > kept private for a limited time, but I'm not sure it's worth it. Yup, this is where I'm at too. > I especially would like to avoid anything that results in nitpicking > details, either

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jan 10, 2017 at 08:49:56AM +0200, Lars Wirzenius wrote: > Now, it's true that we track security issues in a different, and > it's private, which is in contradiction to what the social contract > says: It's also a service to our users and free

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Tue, Jan 10, 2017 at 07:30:23AM +0100, Moritz Mühlenhoff wrote: > Scott Kitterman wrote: > > Has anyone ever seriously questioned the appropriateness of the > > Security Team's practices based on the Social Contract? > > Not in the last 11 years since I'm around. If that

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Scott Kitterman wrote: > Has anyone ever > seriously questioned the appropriateness of the Security Team's practices > based on the Social Contract? Not in the last 11 years since I'm around. If that came up before, Martin or Wichert should know. > I don't think we

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Monday, January 09, 2017 09:00:58 PM Russ Allbery wrote: > Scott Kitterman writes: > > On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote: > >> === BEGIN GR TEXT === > >> > >> Title: State exception for security bugs in Social Contract clause 3 > >> > >> 1.

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Scott Kitterman writes: > On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote: >> === BEGIN GR TEXT === >> >> Title: State exception for security bugs in Social Contract clause 3 >> >> 1. Debian has a longstanding practice of sharing information about >>serious

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote: > === BEGIN GR TEXT === > > Title: State exception for security bugs in Social Contract clause 3 > > 1. Debian has a longstanding practice of sharing information about >serious security bugs with only the security team. This is so

Proposed GR: State exception for security bugs in Social Contract clause 3

=== BEGIN GR TEXT === Title: State exception for security bugs in Social Contract clause 3 1. Debian has a longstanding practice of sharing information about serious security bugs with only the security team. This is so that they can co-ordinate release of the information with other