[MeeGo-dev] Meego Bugs Access Denied
jeremiah.foster at pelagicore.com
Tue Nov 2 02:43:53 PDT 2010
On Nov 1, 2010, at 20:03, Ryan Ware wrote:
> On Mon, Nov 1, 2010 at 10:51 AM, Jeremiah Foster <jeremiah.foster at pelagicore.com> wrote:
> My understanding with most Open Source projects is that bugs would never be hidden - the current policy, even if it applies to just one hardware vendor, seems to be in direct contradiction to the Linux Foundation claims to openness. I'd like to point out that the Linux Foundation bylaws state; "The purposes of this corporation include promoting, protecting, and standardizing Linux and open source software."
> Then your understanding is incorrect.
Debian is one of the oldest Linux distros, the largest in terms of packages, and the most successful in terms of deployment if you count derivatives such as Ubuntu, Mint, etc. Here's their bug policy: http://www.debian.org/social_contract from which I quote; "We will keep our entire bug report database open for public view at all times."
Fedora is also a large, highly successful Linux Distro, here is their policy: http://fedoraproject.org/wiki/Security/TrackingBugs I'll highlight a quote: "Parent bug is publicly viewable."
The GNU project which comprises a significant portion of any Linux distribution, including MeeGo, also has an open bug policy.
Gentoo's policy has an exception that they have a security embargo: http://www.gentoo.org/security/en/vulnerability-policy.xml Gentoo's policy is reasonable because they are aiming to protect their users from known zero day exploits which may directly affect users. It is interesting to note that other Open Source projects have also considered this policy, but rejected it as offering no real security advantage.
I don't think my understanding is incorrect; Open Source projects have open bugtrackers.
> As I've previously explained the vast majority (if not all) highly visible open source projects keep security issues closed until they are resolved.
I don't think anyone has a problem with a MeeGo Bugzilla security embargo as long as that embargo is clearly explained, and reaches a consensus in the community. My understanding was that the policy that was in place in MeeGo's bug tracker met neither of those conditions.
> That said, there is no reason I see that this particular bug should have been anything but open.
More information about the MeeGo-dev