Security testing: need for a security policy, and a security-critical package process
Toshio Kuratomi
a.badger at gmail.com
Tue Nov 24 16:19:06 UTC 2009
On Mon, Nov 23, 2009 at 06:10:59PM -0800, Adam Williamson wrote:
> On Mon, 2009-11-23 at 19:38 -0500, Matthias Clasen wrote:
>
> > How that translates in packages and defaults is not really the most
> > important part, but the plan is to have strict package defaults + a
> > policy package that makes things work.
> >
> > The important part is that we QA the combination, not just the strict
> > defaults.
>
> Right. If the Grand Plan is to go down this path, then what I've been
> referring to as 'the security policy' would include the policies defined
> for each spin, and hence any testing QA did for any given spin would
> involve the policy defined for that spin.
>
> Having said that - is everyone agreeing that it's fine for each spin SIG
> to be entirely in charge of defining and implementing security policy
> for each spin? At the very least, that would possibly be problematic
> given the known border issues between 'the desktop spin' and 'Fedora'.
> Just another issue contributing to why we would need to settle that.
>
I'm very much against that. Fedora, Linux, and Unix-like operating systems
have built a reputation as a more secure alternative to Windows and other
operating systems. We have to have some level of security that comes
enabled on all systems no matter what the spin.
Also, conflating "Fedora" with the "Desktop Spin" is something I'm very
uncomfortable with here. A spin meant to highlight what the authors think
is the most convenient experience for a single user desktop system
apparently wants to do things that I am not at all for highlighting as the
default Fedora environment. We need to separate these so that the Desktop
Spin can live its own life without the additional constraints of being
Fedora.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091124/68d94776/attachment.sig>
More information about the fedora-devel-list
mailing list