Debian Bug report logs - #129604
general: Social Contract: We Do Hide Problems

Package: general; Maintainer for general is debian-devel@lists.debian.org;

Reported by: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Date: Wed, 16 Jan 2002 22:48:02 UTC

Severity: normal

Tags: security

Done: Wichert Akkerman <wichert@wiggy.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: general: Social Contract: We Do Hide Problems
Date: Wed, 16 Jan 2002 23:32:48 +0100
Package: general
Version: N/A; reported 2002-01-16
Tags: security

Over the past few months, the GNU/Linux community has slowly adopted a
way of dealing with security issues which closely resembles the approach
suggested by Microsoft last year: more-or-less systematic hiding of
security problems from end users, at least for some time.

Some Debian maintainers seem to participate in this process, and hold
back security fixes, waiting for events to happen which are external
and not related to the Debian project (for example, other distributors
being ready to publish fixes).

I'm not sure if this approach is desirable, or has the intended effect.
However, I do think that it is conflicting with the third item of the
Social Contract: The promise, "We Won't Hide Problems", is not held.
(The following technical explanation is honored, though, such problem
reports never enter the Bug Tracking System before release.)

However, I do think that the Social Contract needs to reflect this
problem.  After all, the claim, "We Won't Hide Problems", gives the user
a false sense of security and openness.




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Julian Gilbey <J.D.Gilbey@qmul.ac.uk>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #10 received at 129604@bugs.debian.org (full text, mbox):

From: Julian Gilbey <J.D.Gilbey@qmul.ac.uk>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 00:20:15 +0000
On Wed, Jan 16, 2002 at 11:32:48PM +0100, Florian Weimer wrote:
> Over the past few months, the GNU/Linux community has slowly adopted a
> way of dealing with security issues which closely resembles the approach
> suggested by Microsoft last year: more-or-less systematic hiding of
> security problems from end users, at least for some time.
> 
> Some Debian maintainers seem to participate in this process, and hold
> back security fixes, waiting for events to happen which are external
> and not related to the Debian project (for example, other distributors
> being ready to publish fixes).
> 
> I'm not sure if this approach is desirable, or has the intended effect.
> However, I do think that it is conflicting with the third item of the
> Social Contract: The promise, "We Won't Hide Problems", is not held.
> (The following technical explanation is honored, though, such problem
> reports never enter the Bug Tracking System before release.)
> 
> However, I do think that the Social Contract needs to reflect this
> problem.  After all, the claim, "We Won't Hide Problems", gives the user
> a false sense of security and openness.

I would prefer this than to have some other distro release an
announcement to the big wide world which says "There's a root
compromise in package foo we've just discovered, here's how you do it
and here's how to fix it", then for us to take 4 days to implement the
patch, leaving everyone's machines vulnerable during this period.

The delays are usually short, about 2-3 weeks or so, and as long as
the compromise is kept very quiet for that limited period while a
patch is developed, everyone is usually better off for it.

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

     Julian Gilbey, Dept of Maths,             Debian GNU/Linux Developer
      Queen Mary, Univ. of London         see http://people.debian.org/~jdg/
   http://www.maths.qmul.ac.uk/~jdg/           or http://www.debian.org/
        Visit http://www.thehungersite.com/ to help feed the hungry



Reply sent to Wichert Akkerman <wichert@wiggy.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 129604-done@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@wiggy.net>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 129604-done@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 01:30:09 +0100
Previously Florian Weimer wrote:
> Over the past few months, the GNU/Linux community has slowly adopted a
> way of dealing with security issues which closely resembles the approach
> suggested by Microsoft last year: more-or-less systematic hiding of
> security problems from end users, at least for some time.

We haven't changed policy at all.

> Some Debian maintainers seem to participate in this process, and hold
> back security fixes, waiting for events to happen which are external
> and not related to the Debian project (for example, other distributors
> being ready to publish fixes).

It's either coordinating such advisories or not getting the information
at all which means we'll be much later then other distributors and
having less support for our users.

Wichert.

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to martin f krafft <madduck@madduck.net>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #20 received at 129604@bugs.debian.org (full text, mbox):

From: martin f krafft <madduck@madduck.net>
To: debian developers <debian-devel@lists.debian.org>, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 01:50:26 +0100
[Message part 1 (text/plain, inline)]
also sprach Julian Gilbey <J.D.Gilbey@qmul.ac.uk> [2002.01.17.0120 +0100]:
> I would prefer this than to have some other distro release an
> announcement to the big wide world which says "There's a root
> compromise in package foo we've just discovered, here's how you do it
> and here's how to fix it", then for us to take 4 days to implement the
> patch, leaving everyone's machines vulnerable during this period.

sure it's preferable to do it that way, but it's not the right approach.
who says that the information on the exploit is kept private and not
abused?

as a system administrator, i'd much rather know about everything! if the
security patch isn't available right then, then i simply disabled the
service until then. period.

> The delays are usually short, about 2-3 weeks or so, and as long as
> the compromise is kept very quiet for that limited period while a
> patch is developed, everyone is usually better off for it.

not true. kept very quiet doesn't exclude someone else finding it.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
"no, 'eureka' is greek for 'this bath is too hot.'"
                                                            -- dr. who
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Glenn McGrath <bug1@optushome.com.au>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #25 received at 129604@bugs.debian.org (full text, mbox):

From: Glenn McGrath <bug1@optushome.com.au>
To: Julian Gilbey <J.D.Gilbey@qmul.ac.uk>
Cc: Weimer@CERT.Uni-Stuttgart.DE, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 11:47:03 +1100
On Thu, 17 Jan 2002 00:20:15 +0000
"Julian Gilbey" <J.D.Gilbey@qmul.ac.uk> wrote:

> The delays are usually short, about 2-3 weeks or so, and as long as
> the compromise is kept very quiet for that limited period while a
> patch is developed, everyone is usually better off for it.
> 

Anyone who disagrees with the principles of the social contract should
orphan all there packages untill either the social contract is changed
to something they do agree with (unlikely i hope) or they change their
mind about their objections.


Glenn



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Adam Majer <adamm@galacticasoftware.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #30 received at 129604@bugs.debian.org (full text, mbox):

From: Adam Majer <adamm@galacticasoftware.com>
To: debian developers <debian-devel@lists.debian.org>, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Wed, 16 Jan 2002 20:03:48 -0600
On Thu, Jan 17, 2002 at 01:50:26AM +0100, martin f krafft wrote:
> also sprach Julian Gilbey <J.D.Gilbey@qmul.ac.uk> [2002.01.17.0120 +0100]:
> 
> as a system administrator, i'd much rather know about everything! if the
> security patch isn't available right then, then i simply disabled the
> service until then. period.
> 
> > The delays are usually short, about 2-3 weeks or so, and as long as
> > the compromise is kept very quiet for that limited period while a
> > patch is developed, everyone is usually better off for it.
> 
> not true. kept very quiet doesn't exclude someone else finding it.

But it might keep Security team and others from finding it....



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Ben Collins <bcollins@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #35 received at 129604@bugs.debian.org (full text, mbox):

From: Ben Collins <bcollins@debian.org>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Wed, 16 Jan 2002 21:35:35 -0500
You are misunderstanding two different circumstances.

Security alerts happen in two different ways:

1) The Author/Vendor/Security-Group discovers the vulnerability in a
   closed situation. They want the distribution vendors to have a chance
   to fix before making the vulnerability know. So they cooperate. This
   is good, not only for the distro vendors, but for their users.


2) A vulnerability is discovered because it is being actively exploited
   out in the wild. This sort of security issue is handled "as fast as
   possible", because there is no cooperation to work things out in
   advance, the damage is already being done.


Do not down play the role of situation "1" as being "closed".

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/                   Ben Collins    --    Debian GNU/Linux                  \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Glenn McGrath <bug1@optushome.com.au>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #40 received at 129604@bugs.debian.org (full text, mbox):

From: Glenn McGrath <bug1@optushome.com.au>
To: 129604@bugs.debian.org
Subject: Interpreting the Social Contract, what is our priority ?
Date: Thu, 17 Jan 2002 20:41:27 +1100
On Thu, 17 Jan 2002 11:47:03 +1100
"Glenn McGrath" <bug1@optushome.com.au> wrote:

> Anyone who disagrees with the principles of the social contract should
> orphan all there packages untill either the social contract is changed
> to something they do agree with (unlikely i hope) or they change their
> mind about their objections.
> 

Actually, this was a pretty naive statement from me.... its been pointed
out to me that the social contract is open to interpretation.

"4. Our Priorities are Our Users and Free Software"

If there are two priorities of equal importance, there will exist
situations where the social contract cant be honoured.

In my mind this should read "4. Our Priorities are the Users of Free
Software"

This clause effects the endless debian supporting/not supporting
non-free debate, tempting to bury my head back in the sand, but i cant
help but express my opinion that debian should be selling the ideology
of free software, not its current implementation.



Glenn



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Adrian Bunk <bunk@fs.tum.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #45 received at 129604@bugs.debian.org (full text, mbox):

From: Adrian Bunk <bunk@fs.tum.de>
To: Glenn McGrath <bug1@optushome.com.au>, <129604@bugs.debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#129604: Interpreting the Social Contract, what is our priority ?
Date: Thu, 17 Jan 2002 12:26:15 +0100 (CET)
On Thu, 17 Jan 2002, Glenn McGrath wrote:

>...
> "4. Our Priorities are Our Users and Free Software"
>
> If there are two priorities of equal importance, there will exist
> situations where the social contract cant be honoured.
>
> In my mind this should read "4. Our Priorities are the Users of Free
> Software"
>...

That's perhaps in your mind, but the Social Contract makes it clear that
this is an "and". Section 2 of the Social Contract says

  "We will support our users who develop and run non-free software on
   Debian..."

and the complete section

  5. Programs That Don't Meet Our Free-Software Standards

covers our relation to non-free software.


> Glenn

cu
Adrian





Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #50 received at 129604@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Ben Collins <bcollins@debian.org>
Cc: 129604@bugs.debian.org, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: 17 Jan 2002 11:22:34 -0500
>>>>> "Ben" == Ben Collins <bcollins@debian.org> writes:

    Ben> You are misunderstanding two different circumstances.
    Ben> Security alerts happen in two different ways:

    Ben> 1) The Author/Vendor/Security-Group discovers the
    Ben> vulnerability in a closed situation. They want the
    Ben> distribution vendors to have a chance to fix before making
    Ben> the vulnerability know. So they cooperate. This is good, not
    Ben> only for the distro vendors, but for their users.

I understand this circumstance fine.  Saying that it exists and even
saying that it is ideal does not mean that it is consistent with the
social contract.

I think this bug points out a real variance between the social
contract and what we actually do.  You have not said anything that
presents an argument against this position.  You have simply proposed
that the current practice rather than the social contract is to be
desired.

Perhaps you as DPL should introduce a resolution to fix the social
contract if you believe that the current practice for incident type 1
is correct.  You could probably even convince me to second such a GR.




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Ben Collins <bcollins@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #55 received at 129604@bugs.debian.org (full text, mbox):

From: Ben Collins <bcollins@debian.org>
To: Sam Hartman <hartmans@debian.org>
Cc: 129604@bugs.debian.org, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 11:34:10 -0500
On Thu, Jan 17, 2002 at 11:22:34AM -0500, Sam Hartman wrote:
> >>>>> "Ben" == Ben Collins <bcollins@debian.org> writes:
> 
>     Ben> You are misunderstanding two different circumstances.
>     Ben> Security alerts happen in two different ways:
> 
>     Ben> 1) The Author/Vendor/Security-Group discovers the
>     Ben> vulnerability in a closed situation. They want the
>     Ben> distribution vendors to have a chance to fix before making
>     Ben> the vulnerability know. So they cooperate. This is good, not
>     Ben> only for the distro vendors, but for their users.
> 
> I understand this circumstance fine.  Saying that it exists and even
> saying that it is ideal does not mean that it is consistent with the
> social contract.
> 
> I think this bug points out a real variance between the social
> contract and what we actually do.  You have not said anything that
> presents an argument against this position.  You have simply proposed
> that the current practice rather than the social contract is to be
> desired.
> 
> Perhaps you as DPL should introduce a resolution to fix the social
> contract if you believe that the current practice for incident type 1
> is correct.  You could probably even convince me to second such a GR.

I think your are confusin "hiding" with "good judgement". Hiding means
keeping it secret for extended, unwarranted periods for no other reason
than to give the appearance that there is no problem. How long after a
finding out about an exploit and announcing it would you consider not
hiding? 1 minute, 1 hour, 1 day, 1 week, 1 month? It's all
circumstantial, depending entirely on the situation. We don't "hide"
problems, we address the issues in a timely and intelligent manner.

I as a user would appreciate that if vendors find a problem, they fix it
before announcing it. If it takes them 6 months because they ignore the
problem, then that is bad. If it takes them a week to get their ducks in
a row, then it is worth it. The problem with security updates is that we
are usually following the hackers, trying to keep up with them. The one
instance where we have a chance to get ahead of them, we need to retain.


Ben

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/                   Ben Collins    --    Debian GNU/Linux                  \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #60 received at 129604@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@MIT.EDU>
To: Ben Collins <bcollins@debian.org>
Cc: 129604@bugs.debian.org, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: 17 Jan 2002 11:47:09 -0500
>>>>> "Ben" == Ben Collins <bcollins@debian.org> writes:

    Ben> On Thu, Jan 17, 2002 at 11:22:34AM -0500, Sam Hartman wrote:
    >> >>>>> "Ben" == Ben Collins <bcollins@debian.org> writes:
    >> 
    Ben> You are misunderstanding two different circumstances.
    Ben> Security alerts happen in two different ways:
    >>
    Ben> 1) The Author/Vendor/Security-Group discovers the
    Ben> vulnerability in a closed situation. They want the
    Ben> distribution vendors to have a chance to fix before making
    Ben> the vulnerability know. So they cooperate. This is good, not
    Ben> only for the distro vendors, but for their users.
    >>  I understand this circumstance fine.  Saying that it exists
    >> and even saying that it is ideal does not mean that it is
    >> consistent with the social contract.
    >> 
    >> I think this bug points out a real variance between the social
    >> contract and what we actually do.  You have not said anything
    >> that presents an argument against this position.  You have
    >> simply proposed that the current practice rather than the
    >> social contract is to be desired.
    >> 
    >> Perhaps you as DPL should introduce a resolution to fix the
    >> social contract if you believe that the current practice for
    >> incident type 1 is correct.  You could probably even convince
    >> me to second such a GR.

    Ben> I think your are confusin "hiding" with "good
    Ben> judgement". Hiding means keeping it secret for extended,
    Ben> unwarranted periods for no other reason than to give the
    Ben> appearance that there is no problem. 

OK, this time you did present an argument that we are following the
social contract.  I don't really agree with your agrument; I suspect
if I researched the term hiding, researched how most users read that
clause of the social contract, and research what it was intended to
prevent then I'd find that your interpretation was neither what was
originally intended nor what our users think we mean.  Certainly I
think your interpretation disagrees with one user's reading presented
in the essay _In the Beginning was the Command Line_.

However I don't actually care enough about the issue to do that
research and present a strong case that your interpretation is
inconsistent with the contract.  Nor do I really want to ask for a
formal interpretation from the secretary under the constitution.  I'm
happy to sit back and let others who actually feel strongly about this
issue do the work of presenting their case, and should they fail to
care to spend the effort either, let the issue drop.

--Sam



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Ben Collins <bcollins@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #65 received at 129604@bugs.debian.org (full text, mbox):

From: Ben Collins <bcollins@debian.org>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: 129604@bugs.debian.org, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 11:56:10 -0500
On Thu, Jan 17, 2002 at 11:47:09AM -0500, Sam Hartman wrote:
> 
> OK, this time you did present an argument that we are following the
> social contract.  I don't really agree with your agrument; I suspect
> if I researched the term hiding, researched how most users read that
> clause of the social contract, and research what it was intended to
> prevent then I'd find that your interpretation was neither what was
> originally intended nor what our users think we mean.  Certainly I
> think your interpretation disagrees with one user's reading presented
> in the essay _In the Beginning was the Command Line_.
> 
> However I don't actually care enough about the issue to do that
> research and present a strong case that your interpretation is
> inconsistent with the contract.  Nor do I really want to ask for a
> formal interpretation from the secretary under the constitution.  I'm
> happy to sit back and let others who actually feel strongly about this
> issue do the work of presenting their case, and should they fail to
> care to spend the effort either, let the issue drop.
> 

I think most people consider "hiding" as an intent to deceive, when it
comes to security issues (the context we are discussing). While a lot of
users might consider the timeframe between discovery and announcement as
"hiding", we have to make sure they understand that their best interests
are held, and that we are not trying to deceive anyone, and that the
timeframe is not a way to "hide" vulnerabilities, but a mechanism to be
sure they are protected, prior to public knowledge.

I'm sure if it was possible to let users know about a vulnerbility
before fixed packages were available, without letting the hackers know,
we would do it.

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/                   Ben Collins    --    Debian GNU/Linux                  \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to davidw@dedasys.com (David N. Welton):
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #70 received at 129604@bugs.debian.org (full text, mbox):

From: davidw@dedasys.com (David N. Welton)
To: Sam Hartman <hartmans@debian.org>
Cc: 129604@bugs.debian.org, Ben Collins <bcollins@debian.org>, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: 17 Jan 2002 18:09:29 +0100
Sam Hartman <hartmans@debian.org> writes:

> Perhaps you as DPL should introduce a resolution to fix the social
> contract if you believe that the current practice for incident type
> 1 is correct.  You could probably even convince me to second such a
> GR.

How about we introduce a resolution for a movement to create a
committee to discuss the implementation of a system to enable
developers

to create documents that state a general meaning without being
fanatically legalistic and nit-picky about things.

-- 
David N. Welton
   Consulting: http://www.dedasys.com/
Free Software: http://people.debian.org/~davidw/
   Apache Tcl: http://tcl.apache.org/
     Personal: http://www.efn.org/~davidw/



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Ben Collins <bcollins@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #75 received at 129604@bugs.debian.org (full text, mbox):

From: Ben Collins <bcollins@debian.org>
To: "David N. Welton" <davidw@dedasys.com>
Cc: Sam Hartman <hartmans@debian.org>, 129604@bugs.debian.org, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Thu, 17 Jan 2002 13:04:51 -0500
On Thu, Jan 17, 2002 at 06:09:29PM +0100, David N. Welton wrote:
> Sam Hartman <hartmans@debian.org> writes:
> 
> > Perhaps you as DPL should introduce a resolution to fix the social
> > contract if you believe that the current practice for incident type
> > 1 is correct.  You could probably even convince me to second such a
> > GR.
> 
> How about we introduce a resolution for a movement to create a
> committee to discuss the implementation of a system to enable
> developers
> 
> to create documents that state a general meaning without being
> fanatically legalistic and nit-picky about things.

No offense Sam, but I have to agree with David on this one. We (Debian)
stick to the spirit of our goals, and not the letter, on most cases.
Overkill on wording is just another way to hang ourselves.

We don't hide security issues, and never have. People complain that just
because they have to go through some hoops to become a Debian developer,
that we are closed, when they are free to help the project without a
membership card and an @debian.org email address.

This is just another case of nitpicking where people claim that just
because we act in the interest of users, by retaining priviledged
information for a due amount of time, that we are hiding things. Only
overzealous word benders will read into it that way.

-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/                   Ben Collins    --    Debian GNU/Linux                  \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Mark VDB <mark@musicaliberata.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #80 received at 129604@bugs.debian.org (full text, mbox):

From: Mark VDB <mark@musicaliberata.org>
To: 129604@bugs.debian.org
Subject: a possible third way: guaranteed openness, but only in x days?
Date: Sat, 21 Jul 2001 02:09:10 -0700
Let's say we can find some trustworthy system, or some trusted third party 
to do the following.

Once a security exploit is found, estimate the time needed to fix and send 
it through this system that will deliver the security warning guaranteed 
after the estimated fix period.

I'm sure the idea of a confrontation with an overly conservative fix time 
estimate -afterwards- will keep this silence time short.

Oh well, just an idea. Probably been discussed about before a lot...




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Noel Koethe <noel@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #85 received at 129604@bugs.debian.org (full text, mbox):

From: Noel Koethe <noel@debian.org>
To: Fabian Fagerholm <fabbe@paniq.net>
Cc: Manoj Srivastava <srivasta@debian.org>, debian-devel@lists.debian.org, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sat, 19 Jan 2002 15:28:00 +0100
On Sam, 19 Jan 2002, Fabian Fagerholm wrote:

> >     d) enter an order with the blacksmith down the street who has an
> >        non buggy lock, and can come fix it before you have your patch
> >        kit in place.
> 
> Sorry, man, he's using the same lock mechanism as I am, just as buggy.
> In fact, it's the same mechanism that most locksmiths have used for
> years everywhere. So we agreed to fix it everywhere as soon as possible,
> and not let the thieves know before it's done.

But the thieves knows this problem already because they read the bugtraq
news. The only person who didn't know this problem is the farmer.
He think he is secure because his lock vendor has a sign:
"We Won't Hide Problems
We will keep our entire bug-report database open for public view at
all times. Reports that users file on-line will immediately become
visible to others."

-- 
	Noèl Köthe



Information forwarded to general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@netexpress.net>:
Extra info received and filed, but not forwarded. Copy sent to general@packages.qa.debian.org. Full text and rfc822 format available.

Message #90 received at 129604-quiet@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@netexpress.net>
To: Noel Koethe <noel@debian.org>
Cc: debian-devel@lists.debian.org, 129604-quiet@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sat, 19 Jan 2002 10:24:36 -0600
[Message part 1 (text/plain, inline)]
On Sat, Jan 19, 2002 at 03:28:00PM +0100, Noel Koethe wrote:
> On Sam, 19 Jan 2002, Fabian Fagerholm wrote:

> > >     d) enter an order with the blacksmith down the street who has an
> > >        non buggy lock, and can come fix it before you have your patch
> > >        kit in place.

> > Sorry, man, he's using the same lock mechanism as I am, just as buggy.
> > In fact, it's the same mechanism that most locksmiths have used for
> > years everywhere. So we agreed to fix it everywhere as soon as possible,
> > and not let the thieves know before it's done.

> But the thieves knows this problem already because they read the bugtraq
> news. The only person who didn't know this problem is the farmer.
> He think he is secure because his lock vendor has a sign:
> "We Won't Hide Problems
> We will keep our entire bug-report database open for public view at
> all times. Reports that users file on-line will immediately become
> visible to others."

Who said anything about removing security-related bug reports from the 
BTS?  Do you have an example of this happening?  I would be duly 
outraged to learn that someone was removing information from the BTS, 
security-related or not.

But that's not what's happening here.  We're not talking about reports 
filed by users; we're talking about security advisories received *in 
confidence* from organizations like CERT on the condition that we 
*don't* publicize the information before a predetermined time.  Are you 
saying that this idea of not "hiding problems" is so overridingly 
important that it's better for Debian to put itself in a position where 
*we don't get told* about such security flaws until the whole world -- 
including the black hats -- know about it?

It's one thing to keep quiet about a security hole when the information
is already public or there's a known exploit in the wild; and there's 
been disagreement in the past over the security team's policy in such 
cases of waiting for the build daemons before releasing advisories.  
It's another thing to cooperate with those providing us information in 
order to ensure they will continue to do so.

Steve Langasek
postmodern programmer
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Torsten Landschoff <torsten@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #95 received at 129604@bugs.debian.org (full text, mbox):

From: Torsten Landschoff <torsten@debian.org>
To: Noel Koethe <noel@debian.org>
Cc: Fabian Fagerholm <fabbe@paniq.net>, Manoj Srivastava <srivasta@debian.org>, debian-devel@lists.debian.org, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sat, 19 Jan 2002 18:16:18 +0100
[Message part 1 (text/plain, inline)]
On Sat, Jan 19, 2002 at 03:28:00PM +0100, Noel Koethe wrote:
 
> But the thieves knows this problem already because they read the bugtraq
> news. The only person who didn't know this problem is the farmer.
> He think he is secure because his lock vendor has a sign:
> "We Won't Hide Problems
> We will keep our entire bug-report database open for public view at
> all times. Reports that users file on-line will immediately become
> visible to others."

Please wake up, you should know better. We are not removing anything
from the BTS, we keep everything as open as we can. It would just be 
impolite to publish confidential information that we receive in 
order to service our users better. That way we can try to have new 
packages ready at the time when the problem is publically announced.

cu
	Torsten
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Torsten Landschoff <torsten@debian.org>:
Extra info received and filed, but not forwarded. Copy sent to general@packages.qa.debian.org. Full text and rfc822 format available.

Message #100 received at 129604-quiet@bugs.debian.org (full text, mbox):

From: Torsten Landschoff <torsten@debian.org>
To: Noel Koethe <noel@debian.org>, debian-devel@lists.debian.org, 129604-quiet@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sat, 19 Jan 2002 18:18:12 +0100
[Message part 1 (text/plain, inline)]
On Sat, Jan 19, 2002 at 10:24:36AM -0600, Steve Langasek wrote:
 
> It's one thing to keep quiet about a security hole when the information
> is already public or there's a known exploit in the wild; and there's 
> been disagreement in the past over the security team's policy in such 
> cases of waiting for the build daemons before releasing advisories.  

We should indeed reconsider that, at least when the problem is 
already widely known e.g. by a bugtraq posting. But let's discuss 
that later - we have to release a distribution!

> It's another thing to cooperate with those providing us information in 
> order to ensure they will continue to do so.

Well put. Fully agreed

	Torsten
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Anthony DeRobertis <asd@suespammers.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #105 received at 129604@bugs.debian.org (full text, mbox):

From: Anthony DeRobertis <asd@suespammers.org>
To: Ben Collins <bcollins@debian.org>, 129604@bugs.debian.org
Cc: "David N. Welton" <davidw@dedasys.com>, Sam Hartman <hartmans@debian.org>, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sat, 19 Jan 2002 13:39:59 -0500
Can't we satisfy not disclosing the vulnerability and letting 
our users know by doing something like this:

	Debian has been informed of a [<<type>>] vulnerability in
	<<package>> [by <<someone>>]. We are preparing an updated
	package, which will be available from security.debian.org
	along with a DSA [on <<date>>].

	To the best of our knowledge, this is not being exploited
	in the wild. However, you are cautioned to take reasonable
	precautions, such as not using <<package>> if not needed.

This way, we don't release the details to the bad guy. We do 
alert our users to be on the lookout.

And we're certainly not hiding our problems, by any stretch of the word.




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Fabian Fagerholm <fabbe@paniq.net>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #110 received at 129604@bugs.debian.org (full text, mbox):

From: Fabian Fagerholm <fabbe@paniq.net>
To: Noel Koethe <noel@debian.org>
Cc: debian-devel@lists.debian.org, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: 20 Jan 2002 16:07:08 +0200
On Sat, 2002-01-19 at 16:28, Noel Koethe wrote:
> But the thieves knows this problem already because they read the bugtraq
> news. The only person who didn't know this problem is the farmer.
> He think he is secure because his lock vendor has a sign:
> "We Won't Hide Problems
> We will keep our entire bug-report database open for public view at
> all times. Reports that users file on-line will immediately become
> visible to others."

Yes, but please read again:
"We will keep our entire //bug-report database// open for public..."
"Reports that //users file on-line// will immediately become..."

That means
1. The BTS and the information in it is publicly accessible.
2. Information submitted to the BTS will go there immediately (ie. the
BTS is unmoderated, there is no human intervention).

It does NOT say, "whenever we receive any piece of information, this
will be disseminated to the public".


Two notes.
1. This thread has made it sound like I favour a non-public approach to
security issues. This is not the case. In the default case, I think the
information should be released to the public without delay. But there
are some special situations where it can be beneficial for security not
to release the information until certain conditions are met.
2. "Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law." See also the section "NO WARRANTY",
paragraphs 11 and 12 of the GPL, section 10 of the Artistic License or
the section on warranty of the BSD-style license, which I think are the
three most common licenses under which software included in Debian is
distributed. There is no guarantee that Debian is totally secure in all
respects, and the reasonable efforts to fix security issues that we do
have does not replace a security-conscious sysadmin. Security is not
plug-and-play.

Cheers,
fabbe





Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Scott Dier <dieman@ringworld.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #115 received at 129604@bugs.debian.org (full text, mbox):

From: Scott Dier <dieman@ringworld.org>
To: Anthony DeRobertis <asd@suespammers.org>, 129604@bugs.debian.org
Cc: Ben Collins <bcollins@debian.org>, "David N. Welton" <davidw@dedasys.com>, Sam Hartman <hartmans@debian.org>, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sun, 20 Jan 2002 17:08:01 -0600
[Message part 1 (text/plain, inline)]
* Anthony DeRobertis <asd@suespammers.org> [020119 13:09]:
> Can't we satisfy not disclosing the vulnerability and letting 
> our users know by doing something like this:
> 
> 	Debian has been informed of a [<<type>>] vulnerability in

I only advise that this happens IF and ONLY IF those alerting multiple
vendors says it is ok, and IF and ONLY IF it gets put out on widely used
channels, in a context not debian specific.  (bugtraq, for instance)

If we just warn debian users, we do a disservice to other vendors.

If we warn without asking, we will never find out in advance from anyone
anymore, and our users will be worse off.

-- 
Scott Dier <dieman@ringworld.org> http://www.ringworld.org/

the desire for space travel is a metaphor for escape
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to "Anthony DeRobertis" <asd@suespammers.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #120 received at 129604@bugs.debian.org (full text, mbox):

From: "Anthony DeRobertis" <asd@suespammers.org>
To: Scott Dier <dieman@ringworld.org>
Cc: 129604@bugs.debian.org, Ben Collins <bcollins@debian.org>, "David N. Welton" <davidw@dedasys.com>, Sam Hartman <hartmans@debian.org>, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Sun, 20 Jan 2002 19:15:06 -0500
[Message part 1 (text/plain, inline)]
Scott Dier writes: 

> I only advise that this happens IF and ONLY IF those alerting multiple
> vendors says it is ok,

I agree. We don't want to be left out in the cold. If a consensus could be 
obtained in the security community then we can make it standing, documented 
Debian policy. 

> and IF and ONLY IF it gets put out on widely used
> channels, in a context not debian specific.  (bugtraq, for instance) 
> 
> If we just warn debian users, we do a disservice to other vendors.

I don't see why. If other vendors keep their users in the dark when they 
don't have to (i.e., alerting party says 'there is a bug' notification is 
OK), then they are doing their own users a disfavor. 

Ok course, quite a few DSA's go to bugtraq anyway, so these alerts might 
too. 

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to Michael Stone <mstone@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #125 received at 129604@bugs.debian.org (full text, mbox):

From: Michael Stone <mstone@debian.org>
To: Anthony DeRobertis <asd@suespammers.org>, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Fri, 25 Jan 2002 11:16:45 -0500
On Sat, Jan 19, 2002 at 01:39:59PM -0500, Anthony DeRobertis wrote:
> Can't we satisfy not disclosing the vulnerability and letting 
> our users know by doing something like this:
> 
> 	Debian has been informed of a [<<type>>] vulnerability in
> 	<<package>> [by <<someone>>]. We are preparing an updated
> 	package, which will be available from security.debian.org
> 	along with a DSA [on <<date>>].

No. If the information was given in confidence then the recipients
cannot in good conscience disclose *any* of the information. You can
argue the point with those who originated the information, but not those
who received it.

-- 
Mike Stone



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, general@packages.qa.debian.org:
Bug#129604; Package general. Full text and rfc822 format available.

Acknowledgement sent to "Anthony DeRobertis" <asd@suespammers.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, general@packages.qa.debian.org. Full text and rfc822 format available.

Message #130 received at 129604@bugs.debian.org (full text, mbox):

From: "Anthony DeRobertis" <asd@suespammers.org>
To: Michael Stone <mstone@debian.org>
Cc: Anthony DeRobertis <asd@suespammers.org>, 129604@bugs.debian.org
Subject: Re: Bug#129604: general: Social Contract: We Do Hide Problems
Date: Fri, 25 Jan 2002 15:33:59 -0500
Michael Stone writes: 

> On Sat, Jan 19, 2002 at 01:39:59PM -0500, Anthony DeRobertis wrote:
>> Can't we satisfy not disclosing the vulnerability and letting 
>> our users know by doing something like this: 
>> 
>> 	Debian has been informed of a [<<type>>] vulnerability in
>> 	<<package>> [by <<someone>>]. We are preparing an updated
>> 	package, which will be available from security.debian.org
>> 	along with a DSA [on <<date>>].
> 
> No. If the information was given in confidence then the recipients
> cannot in good conscience disclose *any* of the information. You can
> argue the point with those who originated the information, but not those
> who received it.

I suggested the above because I don't see why the people origonating the 
information would object. We should, of course, ask them first. 

Iff it becomes accepted policy in the security community for a vendor to do 
an announcement like the above, then we could make it our standard way of 
handling security problems, and document that on the web page. 

I don't want Debian left out in the cold by the security community! 

> 
> -- 
> Mike Stone 
> 




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:32:08 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.