Re: Proposal for *Real* Declassification of debian-private archives

[Kalle Kivimaa <killer@debian.org>]

Florian Weimer <fw@deneb.enyo.de> writes:
> Some of these issues are certainly unfixed, and very, very few might
> even be unpublished.  It's unlikely that one of those has been sent to
> Debian, though.

And if it has been sent to Debian and ignored, I'd say that our Social
Contract _mandates_ us to publish it ("We do not hide problems" - not
taking any action in _three_years_ is hiding).

> But anyway, we are dealing with *bugs*, and we have publicly
> documented that we won't hide them, so this aspect is probably okay in
> some twisted way.  I'm not sure if such a move will be well-received
> in the security community, though.

I don't think any security watchlist has a three-year time limit
between bug reporting and bug publishing. I may be wrong.

> I also worry about security reports that include personally
> identifiable information, trade (business?) secrets or copyrighted
> material, which are not really relevant to the bug itself, but were
> sent in with the expectation that this was a typical vendor security
> contact.  Publishing such things might get Debian into legal trouble,
> especially if the publication was not requested by the original
> author.

This is a valid concern. I would think that the declassification team
takes this into account. And as you can see from the proposal, we all
have a veto on the declassification (the list is published first to
the developers, who can then propose a GR - and I would think that
valid, strong objections directly to the team would work even without
a GR).

-- 
* Sufficiently advanced magic is indistinguishable from technology (T.P)  *
*           PGP public key available @ http://www.iki.fi/killer           *