Security testing: need for a security policy, and a security-critical package process
Adam Williamson
awilliam at redhat.com
Tue Nov 24 02:10:59 UTC 2009
On Mon, 2009-11-23 at 19:38 -0500, Matthias Clasen wrote:
> How that translates in packages and defaults is not really the most
> important part, but the plan is to have strict package defaults + a
> policy package that makes things work.
>
> The important part is that we QA the combination, not just the strict
> defaults.
Right. If the Grand Plan is to go down this path, then what I've been
referring to as 'the security policy' would include the policies defined
for each spin, and hence any testing QA did for any given spin would
involve the policy defined for that spin.
Having said that - is everyone agreeing that it's fine for each spin SIG
to be entirely in charge of defining and implementing security policy
for each spin? At the very least, that would possibly be problematic
given the known border issues between 'the desktop spin' and 'Fedora'.
Just another issue contributing to why we would need to settle that.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the fedora-devel-list
mailing list