[MeeGo-dev] Meego Bugs Access Denied
jku at linux.intel.com
Tue Nov 2 03:48:12 PDT 2010
On 11/02/2010 11:43 AM, Jeremiah Foster wrote:
> On Nov 1, 2010, at 20:03, Ryan Ware wrote:
>> On Mon, Nov 1, 2010 at 10:51 AM, Jeremiah Foster
>> <jeremiah.foster at pelagicore.com> wrote:
>>> My understanding with most Open Source projects is that bugs would
>>> never be hidden - the current policy, even if it applies to just
>>> one hardware vendor, seems to be in direct contradiction to the
>>> Linux Foundation claims to openness. I'd like to point out that the
>>> Linux Foundation bylaws state; "The purposes of this corporation
>>> include promoting, protecting, and standardizing Linux and open
>>> source software."
>> Then your understanding is incorrect.
> Is it?
> Debian is one of the oldest Linux distros, the largest in terms of
> packages, and the most successful in terms of deployment if you count
> derivatives such as Ubuntu, Mint, etc. Here's their bug policy:
> http://www.debian.org/social_contract from which I quote; "We will
> keep our entire bug report database open for public view at all
> Fedora is also a large, highly successful Linux Distro, here is their
> policy: http://fedoraproject.org/wiki/Security/TrackingBugs I'll
> highlight a quote: "Parent bug is publicly viewable."
> The GNU project which comprises a significant portion of any Linux
> distribution, including MeeGo, also has an open bug policy.
> Gentoo's policy has an exception that they have a security embargo:
> http://www.gentoo.org/security/en/vulnerability-policy.xml Gentoo's
> policy is reasonable because they are aiming to protect their users
> from known zero day exploits which may directly affect users. It is
> interesting to note that other Open Source projects have also
> considered this policy, but rejected it as offering no real security
> I don't think my understanding is incorrect; Open Source projects
> have open bugtrackers.
It is incorrect, at least with regard to distros. There are various ways
to deal with this and a very common approach is to keep selected bugs
closed (this is also a requirement for access to various vulnerability
As an example, these distros embargo security information in some form:
That's five out of the five distros you mentioned. At least four last
ones use a bug tracking system in the same way meego does.
Whether MeeGo bugzilla is the right place for other limited access bugs
may be debatable. Arguing that vulnerability information embargo is an
uncommon policy among distros is just silly.
More information about the MeeGo-dev