Comments from a filed bug (not an official Debian position)
regarding vulnerability notification as it might pertain to
Debian's Social Contract:
"Over the past few months, the GNU/Linux community has
slowly adopted a way of dealing with security issues which closely
resembles the approach suggested by Microsoft last year:
more-or-less systematic hiding of security problems from end users,
at least for some time.
Some Debian maintainers seem to participate in this process, and
hold back security fixes, waiting for events to happen which are
external and not related to the Debian project (for example, other
distributors being ready to publish fixes).
I'm not sure if this approach is desirable, or has the intended
effect. However, I do think that it is conflicting with the third
item of the Social Contract: The promise, "We Won't Hide Problems",
is not held. (The following technical explanation is honored,
though, such problem reports never enter the Bug Tracking System
However, I do think that the Social Contract needs to reflect
this problem. After all, the claim, "We Won't Hide Problems", gives
the user a false sense of security and openness."