Security testing: need for a security policy, and a security-critical package process

Gene Czarcinski gene at
Tue Dec 1 17:38:25 UTC 2009

On Monday 30 November 2009 22:40:07 Hal Murray wrote:
> gene at said:
> ...
> > A written description of the security policy is a must!
> ...
> Is the idea of a single one-size-fits-all security policy reasonable?  I 
> think Fedora has a broad range of users.
No.  Initially, I recommend one security policy and one reference 
implementation to test against.  Each variation needs its own security policy 
and reference implementation definition.  Later ones are easier to create 
because they can use the early ones as "guidance".

So, why go through all of this paperwork and bureaucratic bullshit?  Well, 
those of us who have done this before believe that it is necessary.  I do not 
like the bureaucratic BS any more than anyone else but, if you do not do it, 
then you are not quite sure what you have when you say that something meets 
security requirements.


More information about the fedora-devel-list mailing list