Re: Proposed GR: State exception for security bugs in Social Contract clause 3

To: Lars Wirzenius <liw@liw.fi>
Cc: debian-vote@lists.debian.org
Subject: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
From: Russ Allbery <rra@debian.org>
Date: Tue, 10 Jan 2017 08:41:23 -0800
Message-id: <[🔎] 87d1fueuks.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20170110064956.di5nqr3y4euxtvnm@exolobe3> (Lars Wirzenius's message of "Tue, 10 Jan 2017 08:49:56 +0200")
References: <[🔎] 20170110020819.h7dyrqxvywotn22r@hephaestus.silentflame.com> <[🔎] 3194402.efPJBb10Cu@kitterma-e6430> <[🔎] 87tw97mrud.fsf@hope.eyrie.org> <[🔎] 6372173.rhYApjaNVB@kitterma-e6430> <[🔎] slrno78vrv.3ff.jmm@inutil.org> <[🔎] 20170110064956.di5nqr3y4euxtvnm@exolobe3>

Lars Wirzenius <liw@liw.fi> writes:

> I'm not opposed to amending the SC to say that security issues my be
> kept private for a limited time, but I'm not sure it's worth it.

Yup, this is where I'm at too.

> I especially would like to avoid anything that results in nitpicking
> details, either during a GR or in the future, about what is a security
> issue, what is a serious issue, and what is a limited time, and what
> punishments we should have for exceeding a time limit.

Indeed.

> In my opinion, we already follow the spirit of not hiding bugs. We do
> publish security issues. If anything, the SC might be amended to not
> specify details of how we achieve the not-hiding of bugs. For example,
> we don't track security bugs on bugs.debian.org (which is clearly "our
> bug database"), but in a separate tracker. Is that a violation of the
> SC as well? (That's a rhetorical question, and we will now commence a
> long discussion about it in 3, 2, 1...)

> As a constitutional document, the social contract should stick to
> project values, not how to implement those.

Yeah, I should have been clearer in my message: while I think that's a
reasonable policy if we want a policy, if we're going to change the
foundation document, I feel like we should just delegate this decision to
the DPL or their delegates (which in this case would be the security
team).

But it does seem like a non-problem in that this is the first time I
recall it even coming up.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Russ Allbery <rra@debian.org>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Proposed GR: State exception for security bugs in Social Contract clause 3
  - From: Lars Wirzenius <liw@liw.fi>

Prev by Date: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Next by Date: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Previous by thread: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Next by thread: Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Index(es):
- Date
- Thread