Security testing: need for a security policy, and a security-critical package process

Eric Christensen eric at
Tue Dec 1 17:47:23 UTC 2009

On Mon, Nov 30, 2009 at 22:40, Hal Murray <hmurray at> wrote:

> gene at said:
> ...
> > A written description of the security policy is a must!
> ...
> Is the idea of a single one-size-fits-all security policy reasonable?  I
> think Fedora has a broad range of users.

Probably not but there are some basics that should be implemented for

> Security is a tradeoff.  If you make it impossible for the bad guys to get
> in, the good guys probably can't get any work done.  How secure do you need
> to be?  How much are you willing to pay for it?

How much are you willing to pay to clean up the aftermath?

> I'd much rather have an overview document that explains the likely attacks
> and potential solutions, and their costs and benefits.  Additionally, I
> think
> it's much easier to follow a policy if I understand the reasonaing behind
> it.

The Fedora Security Guide (found at and in a friendly
repo near you) started out that way and has blossomed into that and a whole
lot more.  As always suggestions and patches are welcome.

> I think sample policy documents with descriptions of their target audience
> and checklists for how to implement them would be helpful.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the fedora-devel-list mailing list