Simon Josefsson <[email protected]> writes: > I think that is not the only possible scenario -- another one that I > find at least reasonable, if not more likely, is that anyone who > considered volunteering to implement this soon realized that there are > fundamental aspects that would need to be addressed first, raised those > concerns, did not find sufficient support or interest to address or talk > about the concerns, and started to work on improving those issues > elsewhere (if they at all cared to pursue it further, demotivation is a > factor too).
Sure, I intended to include that in "not in a position to do that work." Missing prerequisites is one of the reasons why someone may not be in a position to do that work. > That pattern applies to Ubuntu, although I guess ISO 27001 on its own > may not have been the biggest motivation there. Still, the end result > is that Ubuntu has ISO 27k and Debian hasn't. I think we're both agreeing on ISO 27001. I would expect the current state, since Ubuntu is (in part) the product of a commercial company that wants to sell to the sorts of institutions that care about ISO 27001 and therefore is willing to pay people to do the tedious and annoying work of filling out all the paperwork required for certification. Debian is (presumably) not. It's not at all obvious to me, as someone who has worked on ISO 27001 and other security certifications before, why Debian would bother. The current certification state feels like an excellent division of labor to me: The volunteer project works on the things that are more interesting and enjoyable to do in one's spare time or as targeted contract work, and the company attempting to make a commercial product takes a snapshot of that work and then does all the tedious and annoying certification paperwork filing and maintenance, which often requires a full-time compliance team, external audits depending on the specific certification, etc. Certification compliance is not something I would ever work on without being paid, personally. It is not enjoyable or fun; it's a job whose only real benefit is the paycheck you get for doing it. That's of course just my personal opinion; maybe someone out there finds filling out ISO 27001 paperwork a great way to spend a lazy Saturday afternoon. > (I guess the reference to "you" is not directly meant to me, but someone > else? I don't recall bringing up ISO 27k before and personally I find > such certifications, like FIPS, generally more harmful than useful. > Some parts of ISO 27k bring up important topics, but you can become ISO > 27k certified without really adressing the problems, and some of the > topics they bring up may imply worse technical solutions.) No, I mean you, but I was talking about the "I would disagree that Debian would not be improved by further documentation and transparency work" part of your message. You have been making this point for some time, and still seem unhappy with the current state, so I assume that the basic problem is lack of volunteer resources. That may include resources to work through whatever underlying concerns people may have uncovered and figure out how to address them within Debian's structure; that is, indeed, part of that work. My point is that I don't think anyone is *opposed* to "further documentation and transparency work." There are just a lot of things to do in Debian and people work on the things they think are important or enjoy. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
