Security testing: need for a security policy, and a security-critical package process

Eric Christensen eric at
Tue Dec 1 18:04:02 UTC 2009

On Tue, Dec 1, 2009 at 12:47, Gene Czarcinski <gene at> wrote:

> On Monday 30 November 2009 18:16:50 Adam Williamson wrote:
>  > Where I'm currently at is that I'm going to talk to some Red Hat /
> > Fedora security folks about the issues raised in all the discussions
> > about this, including this thread, and then file a ticket to ask FESco
> > to look at the matter, possibly including a proposed policy if the
> > security folks help come up with one. And for the moment, only really
> > concerned with the question of privileges.
> >
> Start small with just privilege escalation and it can be grown to be
> something
> more comprehensive.  FESco is the right place to go and see what the
> project
> wants to do.

There is already a security policy in place.  It's not formalized nor is it
written down but it's there.  It's the current posture of Fedora.  We set a
root passphrase at the beginning of install and we give people the option of
securing GRUB with a passphrase and encrypting the hard drive.  We also have
the unwritten rule of user privileges.

It may be time to document our current posture to at least show where we are
and the standard we expect all developers to live up to.   In the process of
documenting you may find that we are lacking somewhere.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the fedora-devel-list mailing list