-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2017-01-14 11:49, Ben Finney wrote:
> Sean Whitton writes:
>
>> While I stand by my GR in principle, I agree with those who have
>> said that it is not worth spending time on something like this
>> unless it's going to pass without opposition. S
Thank you to Russ and Ben for the encouragement!
On Sat, Jan 14, 2017 at 08:48:40AM +, Ian Campbell wrote:
> You should read up on Coordinated (or Responsible) Disclosure vs. Full
> Disclosure (not an uncontroversial topic in itself), the choice of
> which one is used for a given bug is usuall
Sean Whitton writes:
> While I stand by my GR in principle, I agree with those who have said
> that it is not worth spending time on something like this unless it's
> going to pass without opposition. Since this GR /has/ turned out to be
> quite controversial, I hereby withdraw it.
I support you
On 14/01/17 01:25, Sean Whitton wrote:
> Hello,
>
> On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote:
>> Of course, I take it as my fault (maybe because I recognized Sean as
>> quite active already in the project, overestimating his grip of our
>> common practices and general views) tha
On Fri, 2017-01-13 at 17:25 -0700, Sean Whitton wrote:
>
> My understanding of the policy that Russ linked to was that the security
> team are de facto bound to that policy because all the other distros are
> following it. Is that right? If so, it could be added to the new FAQ.
You should read
Sean Whitton writes:
> For the record, I do not take Gunnar to be at any fault here. However,
> it is true that had Gunnar not expected my GR to be uncontroversial, I
> probably wouldn't have proposed it.
> While I stand by my GR in principle, I agree with those who have said
> that it is not w
On Thu, Jan 12, 2017 at 04:39:05PM -0500, Scott Kitterman wrote:
> That then has the opposite problem. It clearly narrows the notion of not
> hiding problems and I don't think that's good either.
Good point.
> P.S. I am subscribed. Please don't cc me.
Whoops, sorry about that.
--
Sean Whit
Hello,
On Fri, Jan 13, 2017 at 11:38:25AM -0600, Gunnar Wolf wrote:
> Of course, I take it as my fault (maybe because I recognized Sean as
> quite active already in the project, overestimating his grip of our
> common practices and general views) that I didn't give enough
> background on similar e
Sean Whitton dijo [Mon, Jan 09, 2017 at 07:08:19PM -0700]:
> Title: State exception for security bugs in Social Contract clause 3
> (...)
I have been following this thread, and although four days might not
seem like a long time, I feel that me comenting here is due.
In this thread, Martin Bagge a
Tobias Frost writes ("Re: Proposed GR: State exception for security bugs in
Social Contract clause 3"):
> Seems that topic has been previously discussed already:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129604
Good grief.
If it really is necessary to to make the poi
Am 13. Januar 2017 06:17:48 GMT+08:00 schrieb Philip Hands :
>Scott Kitterman writes:
>
>> On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote:
>>> Hello,
>>>
>>> On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote:
>>> > Here's an example of possible unintended consequences:
Scott Kitterman writes:
> On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote:
>> Hello,
>>
>> On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote:
>> > Here's an example of possible unintended consequences:
>> >
>> > Currently we enumerate no specifics about exceptions to
On Thursday, January 12, 2017 02:26:59 PM Sean Whitton wrote:
> Hello,
>
> On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote:
> > Here's an example of possible unintended consequences:
> >
> > Currently we enumerate no specifics about exceptions to when things
> > should be public.
Hello,
On Thu, Jan 12, 2017 at 03:11:46AM +, Scott Kitterman wrote:
> Here's an example of possible unintended consequences:
>
> Currently we enumerate no specifics about exceptions to when things
> should be public. Once we have a foundational list of acceptable
> reasons to not be public (
On January 11, 2017 4:47:30 PM EST, Sean Whitton
wrote:
>Hello Scott,
>
>On Tue, Jan 10, 2017 at 07:04:02PM -0500, Scott Kitterman wrote:
>> Yes, but all your proposed GR does is move the problem one definition
>> to the right.
>
>I don't follow this objection. The SC is not meant to contain
>
Hello Scott,
On Tue, Jan 10, 2017 at 07:04:02PM -0500, Scott Kitterman wrote:
> Yes, but all your proposed GR does is move the problem one definition
> to the right.
I don't follow this objection. The SC is not meant to contain
exhaustive details of policies. At present, though, I think it goes
Hello,
On Wed, Jan 11, 2017 at 09:17:27AM +0100, Joerg Jaspert wrote:
> Also, this is IMO nothing for a foundational document. But some docs
> around it as explanation on how real world handles things.
Do we have such a doc right now? Possibly somewhere on the wiki I'm
unaware of?
--
Sean Whit
Scott Kitterman writes ("Re: Proposed GR: State exception for security bugs in
Social Contract clause 3"):
> What is the definition of serious and what is the definition of limited?
It is excellent that Sean's proposal for the SC leaves that vague.
Of course we may want to
On 14549 March 1977, Sean Whitton wrote:
> No-one who understands how GNU/Linux distributions work thinks that
> there is anything problematic about short-term embargos of information
> about serious security bugs. However, the SC is not just for those
> people: it's also something for newcomers t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 2017-01-10 07:49, Lars Wirzenius wrote:
> I'm not opposed to amending the SC to say that security issues my
> be kept private for a limited time, but I'm not sure it's worth
> it.
This.
Hear hear.
> I especially would like to avoid anything th
On Tuesday, January 10, 2017 04:45:36 PM Sean Whitton wrote:
> Hello,
>
> In my original proposal e-mail, I should have said more about why I
> think this is a good idea. My apologies for not having done so.
>
> No-one who understands how GNU/Linux distributions work thinks that
> there is anyth
Hello,
In my original proposal e-mail, I should have said more about why I
think this is a good idea. My apologies for not having done so.
No-one who understands how GNU/Linux distributions work thinks that
there is anything problematic about short-term embargos of information
about serious secu
Scott Kitterman writes:
> I don't think we should be monkeying with the Social Contract to solve a non-
> problem.
I agree.
Bdale
signature.asc
Description: PGP signature
Lars Wirzenius writes:
> I'm not opposed to amending the SC to say that security issues my be
> kept private for a limited time, but I'm not sure it's worth it.
Yup, this is where I'm at too.
> I especially would like to avoid anything that results in nitpicking
> details, either during a GR or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Jan 10, 2017 at 08:49:56AM +0200, Lars Wirzenius wrote:
> Now, it's true that we track security issues in a different, and
> it's private, which is in contradiction to what the social contract
> says:
It's also a service to our users and free
On Tue, Jan 10, 2017 at 07:30:23AM +0100, Moritz Mühlenhoff wrote:
> Scott Kitterman wrote:
> > Has anyone ever seriously questioned the appropriateness of the
> > Security Team's practices based on the Social Contract?
>
> Not in the last 11 years since I'm around. If that came up before, Martin
Scott Kitterman wrote:
> Has anyone ever
> seriously questioned the appropriateness of the Security Team's practices
> based on the Social Contract?
Not in the last 11 years since I'm around. If that came up before, Martin or
Wichert should know.
> I don't think we should be monkeying with the
On Monday, January 09, 2017 09:00:58 PM Russ Allbery wrote:
> Scott Kitterman writes:
> > On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote:
> >> === BEGIN GR TEXT ===
> >>
> >> Title: State exception for security bugs in Social Contract clause 3
> >>
> >> 1. Debian has a longstanding p
Scott Kitterman writes:
> On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote:
>> === BEGIN GR TEXT ===
>>
>> Title: State exception for security bugs in Social Contract clause 3
>>
>> 1. Debian has a longstanding practice of sharing information about
>>serious security bugs with onl
On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote:
> === BEGIN GR TEXT ===
>
> Title: State exception for security bugs in Social Contract clause 3
>
> 1. Debian has a longstanding practice of sharing information about
>serious security bugs with only the security team. This is so t
=== BEGIN GR TEXT ===
Title: State exception for security bugs in Social Contract clause 3
1. Debian has a longstanding practice of sharing information about
serious security bugs with only the security team. This is so that
they can co-ordinate release of the information with other vendor
31 matches
Mail list logo
