Security Policy
Waldo Bastian
kde-policies@mail.kde.org
Mon, 10 Mar 2003 22:19:56 +0100
On Monday 10 March 2003 03:27, Neil Stevens wrote:
> KDE at this time appears to lack any published policy on the hiding or
> warning of problems in KDE. I mentioned this once before on
> kde-core-devel, but now we have a list for these matters, so I bring it up
> again.
>
> I would suggest that KDE developers describe for users precisely what will
> be donee with information related to KDE bugs, and when and if users will
> be warned of risks to their systems.
>
> Just to get things started, I make this description of what my policy is:
> I will not, under any circumstances, withold from users any information
> related to a threat, real or potential, to their privacy, security, or
> system reliability. This goes not just for any problems with software I
> maintain, but for any other software problems I become aware of.
I broadly agree with that but with two nuances:
* I think it is important to alert users to a threat and to provide them with
information on how to eliminate that threat, but I don't think that
publishing detailed exploit information is in the interest of the user.
* I think it's justified to delay the publishing of information when there is
actively being worked on either a) a better impact analysis or b) a fix for
the problem. Once you disclose the threat there will be increased attention
for that vulnerability so it's very important to provide correct information
and credible solutions to eliminate that threat at the time of disclosure. I
also think that it is counter-productive to have multiple publications in
short succession on a single issue since I think that that blurs the
attention of the users that you try to reach. I think perhaps the most
critical element of a security update is the user having actually applying
the update. For that, effective and efficient communication with the user is
vital IMO. So I think that the goal should be to get it right and complete
the first time.
This isn't black and white though, you will have to take into account the
circumstances, the threat level, whether the threat is real or potential in
nature, potential impact...
Cheers,
Waldo
--
bastian@kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian@suse.com