ATTN shadow-utils maintainer (Was Re: More PATH fallout. Who decided this was a good idea?)
Steve Grubb
sgrubb at redhat.com
Sat Dec 6 20:38:22 UTC 2008
On Saturday 06 December 2008 15:01:18 Callum Lerwick wrote:
> On Sat, 2008-12-06 at 10:29 -0900, Jeff Spaleta wrote:
> > I think CAPP certification, as I understand it, is a poor fit for the
> > security needs of our default Fedora offerings, where we expect an
> > active network. That could be part of the problem. CAPP certification
> > certainly feels like the wrong capability to try to target in our
> > default usage case. Our default usage scenario for the supported spins
> > is simply not the usage that CAPP tries to handle. But it could be
> > very useful for a new spin concept which targets exactly the usage
> > case the CAPP speak to.
>
> So I guess this is what all this really comes down to: Do we care about
> certification?
I think the answer is yes. A lot of work goes into analyzing the software. The
fact that you have a man page for each syscall is a product of our
certification work. As of fedora 7 you had man pages for each syscall. Since
then we have not had to do work aimed at a CAPP cert and guess what? You once
again have syscalls without man pages.
We go over all the code that makes any kind of decision related to access
control, trusted databases, and crypto. We file and fix many bugs. Test suites
are created out of this effort and the whole community has access to them. This
work is done by a team of people in and outside of Red Hat with a like-minded
goal of giving Linux the ability to be certified. As a result, Fedora is the
ONLY community distribution that actually meets certification requirements.
OpenSuse might be close for CAPP, but not LSPP/RSBAC, but that would be the
only one I can think of that might be getting close.
Do you like the way that IPv6 works in Fedora? That was done by working on a
certification. Do you like crypto that works? We are currently doing that
certification. Would you like to see virtualization with strong guarantees of
vm separation...guess what?...another certification effort. These are what
enable Linux to be used confidently knowing that it will interoperate or follow
industry guidelines.
> Hey, Steve Grubb, are you the shadow-utils maintainer?
No, but he's on my team.
> Whoever the shadow-utils maintainer(s) is/are, do you want to agree to put
> this up to a FESCo vote?
That depends on what we are voting on.
-Steve
More information about the fedora-devel-list
mailing list