Linux Today: Linux News On Internet Time.

Debian Bugs: Social Contract: We Do Hide Problems

Jan 18, 2002, 00:08 (15 Talkback[s])

Comments from a filed bug (not an official Debian position) regarding vulnerability notification as it might pertain to Debian's Social Contract:

"Over the past few months, the GNU/Linux community has slowly adopted a way of dealing with security issues which closely resembles the approach suggested by Microsoft last year: more-or-less systematic hiding of security problems from end users, at least for some time.

Some Debian maintainers seem to participate in this process, and hold back security fixes, waiting for events to happen which are external and not related to the Debian project (for example, other distributors being ready to publish fixes).

I'm not sure if this approach is desirable, or has the intended effect. However, I do think that it is conflicting with the third item of the Social Contract: The promise, "We Won't Hide Problems", is not held. (The following technical explanation is honored, though, such problem reports never enter the Bug Tracking System before release.)

However, I do think that the Social Contract needs to reflect this problem. After all, the claim, "We Won't Hide Problems", gives the user a false sense of security and openness."

Complete Story